CISOs & Security Pros: Need Something Else to Think About?

For many CISOs and security pros, the early days of rapid pandemic response have quieted down.

Warnings about the latest opportunistic email scams are sent, and regular reminders will go out. You told everyone to password-protect their group video conferences and be smart about securing their home Wi-Fi.

Matthew Todd, Principal Consultant, Full Scope Consulting LLC

CISOs may be back to business-as-usual (or business-as-the-new-usual) but in a uniquely concentrated way, as they handle their responsibilities from home. Given the extreme novelty of our current situation, I thought it might be good to share a few ideas to ponder when you need a break from the usual.

Give Some Thought to People Management

CISOs are naturally inclined to think about risks, so put that inclination to good use and think about people management in the context of a pandemic. Firms will need to continue to do traditional people-tasks, things like onboarding, offboarding, training, mentoring, and management, even as many are isolated and working from home. This may be a good time to consider some of these:

  • Be sure that the onboarding process works for new staff who may not see your offices for weeks or months. How is equipment requisitioned, configured, sent? What guidance will the new employee get? Will there be a remote meet-and-greet? Will the new employee receive specific training before getting access to sensitive resources?
  • Review offboarding procedures in light of remote-work requirements. Are tools and training for IT adequate for both routine and emergency terminations when laptops may be sitting in employees’ residences?
  • The “insider threat” takes on a whole new meaning when every employee’s household is potentially “inside.” Many articles have been written about safe working practices from home, but it bears repeating when bored roommates (or children) may eye an unlocked work laptop as an opportunity for mischief. Are managers trained to identify signs of stress in remote staff that could be early indicators of an insider threat? Do IT and security teams have the tools and training to identify abnormal behavior when working hours can be nearly random?

Walk in Another Team’s Shoes

This could be a chance to learn about other teams and gain valuable perspectives.

If developers drive you particularly nuts, try going through their onboarding process. Watch the videos that the engineering managers use to orient their new staff. This isn’t necessarily a chance to find flaws in the training (“Why didn’t they include my great slides on OWASP?”). Instead, see what the engineers find exciting. This is a chance to learn about the process and how to engage them.

If your engineers use particular tools, search for YouTube videos of experts talking about the cool things they’ve done with them.

The same can easily apply to marketing, data analytics, or product management teams. You will end up with ideas about where and how to better engage with these teams by speaking to them about processes and tools that really matter to them.

Get Some Legal Chops

I’ve talked about this before, but this may be a perfect time to dig into legal and regulatory matters that affect your organization. Don’t focus solely on privacy and security. There are other risks that may impact your firm or industry that are worth thinking about, like fraud or patent trolling. What kinds of lawsuits impact firms in your industry? What actions have regulators taken against peer firms?

Ask your friends in legal for recommendations on sites or reading (and if you don’t have friends in legal, now’s a good time to get some!). Many legal firms have great blogs – maybe your outside counsel has some good stuff. Regulators provide guidance. Even your company’s insurance broker may have some good ideas about legal and regulatory matters that impact your firm’s industry.

Compliance for the Security Professional

CISOs know that compliance is a critical part of modern business. Yet, they may not always know how their security program is supposed to meet compliance obligations.

Have Some Fun with Your Team

If your team has any collective time, why not have some fun? Invite them to come up with challenges for the whole team. They could be security quizzes, puzzles, or even forensic challenges. Who can be the first to spot an entry in the log files that one team member seeded by taking a harmless, but unusual action on your intranet? Have someone teach the team a skill, like log analysis or cell phone forensics. Share the knowledge, and eliminate some of those single points of skill.

Have Some Free Time?

This may be your chance to learn a new skill. Choose one that provides some concrete result or reward. I’m trying beer making. It’s not much of a stretch from baking with sourdough, but different enough that I feel like I’m learning something new. And I get to enjoy the final result. I hope.