Welcome back to the deep dive. Today. We're opening the playbook for successful information security leadership, right, but we're deliberately keeping the technical stack, you know, in the closet for this one.
Huh yeah, good place for it.
Sometimes our deep dive is into the art of infosec, that subtle, non technical side of building a really robust and importantly sustainable security program.
That's absolutely our focus. Our mission really is to synthesize the insights from the source material and extract what looks
like the true formula for creating respected security function. And whether you're starting with a blank sheet of paper or inheriting a bit of a chaotic mess, the argument here is pretty compelling, which is which is a long term success changes far more on people skills, cultural influence, and you know, management finesse than on any particular piece of security software.
And the context for needing this shift it's actually quite shocking, isn't it. The author shares his experience moving from a military environment.
Right where security is just baked.
In exactly it's understood, and followed moving from that to the corporate infosec world back in January two thousand. He calls that transition an absolute shock.
Yeah. I remember reading that part.
Stating he had more sleepless nights in his first year of corporate life than navigating the Persian Gulf during armed conflict.
Wow. That really tells you something, doesn't it.
It tells you everything about the apathy he must have faced immediately.
Exactly, and that initial shock it sort of defines the environment for so many.
That feeling of pushing a boulder uphill.
Yeah, most security leaders feel like that because the fundamental forces of the organization often seem to be working against them. That feeling of being perpetually outmatched. That's the difficult reality you pretty much have to accept, Okay, because it frames every strategic decision you're going to make going forward.
Okay, let's unpack this difficult reality. Then what are the uh, the undeniable fundamental facts describing the environment for most INFOSEC professionals.
Well, the source material lays out three pretty brutal truths. And again this is for the majority. Right, we're excluding the rare unicorns in say, highly regulated sectors like banking or maybe those with really strong executive sponsorship.
Got it, So for most places.
For most places, first, nobody in the company outside of your own team usually cares that much about infosec houch.
Okay.
Second, nobody in the company really understands your job. I mean the scope is just massive, right, covering eight separate domains, demanding you interact with engineering, HR, legal product teams all at the same time. And Third, our entire industry, let's be honest, is often guided by fear and scare.
Tactics, which doesn't always work.
Which often backfires. Yeah.
I think that first point the apathy one. We need to stop there for a second. The sources mentioned this like shocking cultural disconnect. If we all agree. Number one, security control is asset enumeration.
Knowing what you have?
Yeah, knowing what you have? Why is neglecting that proof of apathy?
Well, it's proof because asset enumeration is just a fancy way of asking what digital stuff do we own and where is it? Right? Simple question seems simple, But if you don't know what digital assets you have, you just you can't protect them. It's like building a fortress without knowing how many doors and windows it has.
Right.
The fact that so many organizations seem to completely ignore this foundational step, it just shows that security often isn't the priority it's treated more like an afterthought.
Wait, but if this lack of care is so pervasive, you mentioned policy violations being ignored while HR policies get strictly enforced. Isn't that a failure higher up like executive leadership? How can one CISO possibly overcome that kind of ingrained disregard without you know, massive regulatory backup.
You've hit the absolute central dilemma. And the conclusion from this this painful reality check is pretty stark, which is the work of building a sustainable INFOS program rests essentially solely on the security leader's shoulders. Wow, you have to accept that you are effectively on your own. You can't just rely on executive mandates or fear tactics to compel change. That acceptance it sounds negative, but it's actually the necessary first step toward building the program strategically.
That makes a lot of sense. Actually. Okay, So once you accept that environment, the source material pivots pretty quickly to the art of the job. It presents a seven step formula. Let's dive into the first two because they seem purely cultural.
They really are. Step one is the absolute foundation of this whole approach. Relationships come first, always. Success is basically impossible without building truly excellent working relationships across the entire company. And to do this, the infosec team has to dedicate get this up to twenty five percent of its entire operational time just to activities that build and maintain these bridges.
Twenty five percent. That's yeah, that's huge. What does that actually look like? Is that just like smiling at people in the hallway.
Yeah? No, far from it. It means actively looking for ways to help other teams solve their problems, even if they aren't strictly security problems initially.
Ah, okay, building goodwill exactly.
It means running informal sessions, maybe not about rules, but about understanding, say a pure department's new product launch constraints. It means, you know, taking system owners out for vendor sponsored lunches, just removing that transactional friction. Right. The contrast here is that classic, often contentious approach where the security team acts like a radiologist a radiology, Yeah, just holding up the X ray showing all the flaws, you know,
exposing shortcomings. System owners then start referring to your vulnerability scanning as friendly fire.
Ouch, yeah, I've heard that.
And that just breeds organizational antibodies, right, people actively trying to block the security team. Yeah, and that that's the kiss of death for any COSO.
So we shift from being the company police to being like trusted consultants precisely. Okay, that transition leads us right into step two. Alignment. Now, this seems really counterintuitive compared to the traditional security purist approach that says you must strive for maximum protection no matter the cost.
It is counterintuitive, but critical.
Yeah.
Alignment means recognizing that your job is to be the security person the company wants you to be, not the purest you think they should have. It means operating within the company's existing and often unstated risk tolerance. You absolutely have to read the culture and figure out where the company's risk needle is actually pointed when it comes to information loss.
Okay, how do you read that needle. It's not like they publish it.
Right now, definitely not. The best indicator usually is how the organization reacts or doesn't react to a major incident or a breach. Ah.
Actions speak louder than words.
Toti. The author shares this career defining moment He experienced a breach that got in his words, hardly any attention really a breach. Yeah, leadership didn't demand some big executive summary, No new resources flowed, nobody got reprimanded, and he realized quite clearly the company didn't really care about data breaches.
That must have been jarring.
Jarring, but also clarifying this revelation was key. It allowed him to stop stressing over those purest ideals, align with the actual appetite for risk, and then focus on building the program the company would genuinely support and fund. Wow. Failure to align with that reality, that's often why CSOs find themselves constantly in conflict and probably why the average tenures just a little over two years. They're fighting the culture instead of working within it.
That is, that's the ultimate strategic point, isn't it? Okay, Moving past acceptance and alignment, let's talk practical tools. How do you build the program when you know your central team will always be basically resource constrained?
Right, you use governance and shared ownership. This starts with what the source calls the four cornerstones as part of three, and then it moves into the necessity of the neighborhood watch, which is step five.
Okay, cornerstones First, what are they?
There are foundational governance documents. First, you absolutely need an information security charter. Think of this as your political document. It grants authority, but crucially it codifies shared infosec responsibility across departments.
So it's not just securities problem exactly.
Then you need the information security policy, but it has to align with reality. Often that means keeping it brief, clear, focused, not just some industry standard sprawl that nobody reads.
Practical okay.
And finally, the Security Incident Response Plan SRRP. Got to have that.
Okay, makes sense. And to make those documents actually work and ensure those relationships you build earlier actually influenced decisions, you need the governance councils right.
Exactly right. You need structure. The source recommends three distinct councils to manage decision making and ensure alignment up and down the hierarchy.
Okay, what are they.
First, At the technical level, you have the Extra Ended Security Council xSe. This brings together the technical leads, you know, the people who actually do the work to discuss complex technical stuff, the tasty topics as the author calls them. This council informs the strategy.
So the geeks get to talk geek.
Pretty much yea, and their input is vital. Then that strategy, those ideas move up to the Security Business Council SBC. This group includes key business representatives. They review the xsse's input. They help run the infosec strategy. They weigh in on things like new purchases or policy changes. This is where the real buy in and alignment happen at the business level. Can you give an example, sure, Let's say you want to increase the frequency or maybe the consequences of phishing campaigns.
Instead of just decreeing it, you let the SBC debate it. They discuss the impact the frequency. Since they effectively own the decision.
They own the outcomes and the pushback exactly.
It takes the heat off the central infosec team. And then finally, for budget approval and final sign off, you have the Executive Security Council yes SE, which is your senior leadership group. The whole structure is designed to share the burden.
Share the burden of decision making.
That's the whole point. The central infosec team simply cannot own all the operational risk. The company has to, and that thinking leads us directly to step five, give your job away.
Give your job away.
Sounds crazy, right, but it's the neighborhood watch concept.
Okay, explain this one. This sounds revolutionary, maybe a bit scary for a security team. Why is giving away your job necessary?
It's necessary because infosec is just too broad, too massive for one single department to control everything. You can't possibly secure all the assets centrally. Just not enough people, never enough people. So the only real hope for actually securing the environment is to transition security responsibilities, things like managing endpoint security or administering firewalls. Transition those tasks to the system owners and the engineering teams that already manage those assets day to day.
Ah. So the people who own the system own at security too.
That's the goal. The central infosec team has to shift its role almost entirely, become governance, consulting policy guidance. Effectively, you deputize others across the organization to protect their own homes. You run the neighborhood watch program.
Okay, but if we're relying on the neighborhood watch to protect the homes, those neighbors need to know what they're doing, right. They need to be competent.
Absolutely critical point.
Which brings us to step four communications education and awareness. How do we ensure that this kind of cultural training actually sticks and produces measurable results, not just check the box stuff.
Yeah, awareness cannot be an afterthought or just boring compliance videos. It's a critical cornerstone and honestly, it probably requires a dedicated creative staff member. If you want to do it well.
What does doing it well look like?
Variety? You need different channels, lunch and learns, engaging newsletters, maybe with humor, raffles, campus events, anything to make it not feel like a choice. But the real ROI, interestingly often comes from targeted technical education for your peers in IT and engineering.
Ah okay, the source material gives a great example of this, doesn't it. Where the security team was just stonewalled for like a year trying to get intrusion detection systems IDs installed.
That's the perfect example. The bureaucratic channels, the formal requests, they failed for over a year, nothing happened.
So what did the security leader do escalate?
Nope, instead of escalating and creating more friction, he built the relationship and offered value. He arranged for an external vendor to provide specialized network security training, good training specifically for the network services.
Team, ah, giving them something useful exactly.
The engineers attended, they were empowered by the knowledge they learned why it mattered from experts, and within two weeks two weeks of the course finishing, they rushed to install the IDs systems themselves at all the key Internet points of presence.
Wow, just from the training.
The requirements were delivered through a valuable training session by respected industry folks, not by the central security team just demanding compliance. Huge difference.
That really shows that relationship building and smart awareness provide security gains, maybe far beyond what tech alan could achieve, and probably way cheaper.
Too often at a fraction of the cost.
Yes, okay, let's move quickly to step six team building. If your team members are going to be these evangelists, these deputies, what's the non negotiable hiring criterion?
Technical candidates absolutely must have great interpersonal skills, full stop. More important than sertch in this model, Yes, more valuable than any specific certification. Remember, you're sending these people out as ambassadors to build that neighborhood watch. If they lack the grace the empathy, the political agility to handle sticky situations.
They'll create those antibodies you mentioned.
Exactly, they'll generate resistance against the team, and all your carefully constructed governance efforts could fail. You hire for diflomacy and communication skills first. Then technical aptitude makes sense, okay.
Finally, step seven measure what matters if the ultimate goal is this self defending organization. What are the key metrics? How do you show that cultural change is actually happening.
You need to focus on metrics that are simple, resonate with leadership, and actually prove the culture is shifting. The author really focuses on two main ones, which are metric one. Can staff recognize a policy violation when they see one and do they report it? That shows awareness of the rules?
Okay?
And the second metric two, which he calls the mother of all metrics. Can staff identify a phishing email and report it?
Ah the phish test.
It measures the level of healthy skepticism and vigilance in the general employee base. It's a direct indicator of awareness, effectiveness.
And the results from these kinds of intensive cultural campaigns they prove the power of this focus.
They really do the source sites an initial social engineering assessment where the failure rate was forty six percent. Almost half the employees gave up critical credentials over the phone to someone just posing his IT support.
Forty six percent.
That's bad, that's really bad. But after a three year intensive creative awareness campaign BLITZ using all those techniques we talked about, that failure rate dropped dramatically down to four percent.
Wow, from forty six to four that's incredible.
It's incredible, And that results is the ultimate proof, isn't it? Leadership, cultural change, smart awareness, they provide a staggering security ROI compared to just throwing money at more expensive boxes.
So, to wrap it all up, the core idea here is successful INFOSEC isn't achieved by technological mandate from on high. It's achieved by leading a cultural change.
Yeah, becoming the company's trusted.
Advisor, and building this wide network of advocates the neighborhood watch.
Precisely, if you, as a security leader, want to ensure your survival and hopefully thrive beyond that depressingly short average CIO tenure, you need to ruthlessly prioritize maybe three things.
What are they?
First? Culture? Those relationships. They literally determine the quality of the security program you are allowed.
To build, allowed to build interesting freezing.
Second, insure alignment, operate within the company's actual stated or demonstrated risk tolerance, even if it feels uncomfortable sometimes compared to best practices. And third, view your work as incremental progress. Think of it as continuous laps around the track. Always always prioritize kindness, humidity, and adding value over picking fights, even with difficult teams or underperforming neighbors.
The source material suggests, and I like this framing that while infosic leadership needs those left brain muscles analysis engineering, the art side absolutely demands right brain.
Thought, creativity, empathy, diplomacy.
Yeah, to really win over your colleagues. So here's a final thought for you listening. If you find yourself perpetually, you know, warring with other departments over security controls or requirements, consider this. What is just one way you could leverage
a simple relationship building technique this week. Maybe volunteering your team's tech skills to solve a totally non security problem for an antagonistic department, or maybe running a short, informal but highly valuable training session on something they care about just one small step to turn a detractor into even a hesitant security advocate.
That choice, that decision, that.
Choice, that conscious effort to build a bridge instead of a wall. That's the true measure of the art of info sc