About a month ago, our team was doing some work with an outside consultant on some personality testing, and how those personalities align with job functions.
Which, if you've never done with your team, can be a really valuable exercise, especially if you bring in outside help to help you analyze the results.
In the process, we began to discuss how certain personality traits were important for certain positions in a company, and more importantly, in cybersecurity.
One of the traits that we were scored on was the sense of urgency. Meaning, does the person work better when they're in a tense situation or under a deadline? Or does the person work better with longer time horizons, and they work better when the work is proactive?
Which brought up the question:
“Should a CISO be more reactive or proactive?”
Should they have stronger skills in staying ahead of their program, or being able to react to the daily demands of the role?
If you look at the evolution of the CISO role in most banks and credit unions, you'll see that the role was typically filled from someone inside the Information Technology Department. And that only makes sense.
Those were the folks that were closest to the issues. Those were the folks that most understood the risks. Those were the folks that most understood the controls and how to make them effective.
The thing is, though, most information technology folks are reactive by default. The very nature of the position requires the ability to put out fires, to be successful.
Being reactive is almost in the DNA of every IT person, especially in financial institutions. I don’t know very many that are any good at what they do without being able to excel under extreme pressure. There are exceptions, but not many. One comment in our discussion summed it up nicely:
“IT folks tend to be chaos junkies. They love coming in and solving a problem, and saving the day. They love the excitement of it. But that’s what makes them so good at what they do.”
So if you look at that evolution, it makes total sense that most CISOs are hard-wired to be reactive.
They want to get in and see the logs. They want to do the threat hunting. They love when an incident comes up and they can roll up their sleeves and do what they do best, solve problems.
But the more we discussed as a team, the more we kept coming back to the conclusion that a proactive approach is much better for a bank or credit union CISO.
A CISO that's constantly putting out fires, is constantly put in situations where they have to react. They are constantly involved in the day-to-day processes of information security and don't have the time to be more strategic about truly making their overall Information Security Program (ISP) better.
A CISO needs to be proactive to take their information security program where it needs to go. A proactive approach is required to understand the business, to be a business enabler.
Don't get me wrong, a good CISO has that reactive muscle, to some degree. They have to be able to roll up their sleeves and jump in when something hits the fan, because it will.
As another of our team members, put it, “It seems like a good CISO is proactive enough that they allow themselves windows of opportunity to be reactive when they need to be”
That pretty much sums it up.
If you're proactive, 90% of the time, it allows you the 10% room to be reactive when you need to be.
So as a bank or credit union executive, the manager of a CISO, or as the CISO yourself, you may be asking, “what does the CISO need to do to be proactive?”
While this is not meant to be an exhaustive list, here are some of the high points:
Understand your environment
This seems obvious, but it's sometimes surprising the number of financial institutions we go into where that's not the case. A CISO needs to use tools like the risk assessment, CAT, and business impact analysis to understand the business, where your risks are, and understand what your policy and program gaps are.
Organize your ISP
So once you understand your environment, what are you doing to make sure you stay on top of it?
Cybersecurity and your information security program are a moving target. It's like a garden. If you don't tend to it, weeds will grow.
We recommend using an ISP task list to do just that. It’s a simple tool to help orchestrate the moving pieces to stay on top of the various components.
Incident Response Planning
Make sure you understand the plan when something bad happens. Make sure you agree with what it's telling the appropriate parties to do, and when. Make sure it gives them the framework to make decisions in the moment, rather than just a step by step playbook (because every situation is different). Make sure they are trained on and have walked through various scenarios.
Because when an incident happens, the CISO can't do it all. Being proactive in Incident Response Planning means you'll have help when you have to react.
Business Continuity Planning
This is related to Incident Response. And this may not be under the CISO’s responsibility, but they should make sure they understand that there is a good plan in place for when a cyber-attack disrupts business functions because it’s about protecting the business, not just cybersecurity. (IRP is about containment and response, BCP is about putting the pieces back together, so the 2 need to be in step with each other)
Conclusion
Taking a proactive approach is the key to the success of a CISO at a bank or credit union.
But keep in mind, they have to be able to jump in and put out fires from time to time. It just shouldn't be every day or every week.
Finding the right balance, like almost anything in cybersecurity, is the key.
If your bank or credit union is looking for help with making your Information Security Program more proactive than reactive, or you’re looking for a team of experts to be your CISO, send us an email at support@bedelsecurity.com.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Bank Management: 5 Ways a CISO Can Help Drive Innovation
https://www.bedelsecurity.com/blog/5-ways-your-ciso-can-drive-innovation
How to Manage a Chief Information Security Officer in your Financial Institution
https://www.bedelsecurity.com/blog/how-to-manage-a-chief-information-security-officer-in-your-financial-institution
Your Information Security Program Needs Focus
https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus