Just this past week, I had a great podcast with a C-Level Exec from an established Cybersecurity firm based out of the state of Washington.  I’ve got to be honest; this guest totally blew me away.  Not only was he completely downright honest and open, but he actually shared some client case studies in which they have put the customer first of any revenue making goal.  Heck, he has even told potential new clients that if his firm can’t deliver, to just merely cancel the contract with them.

I thought “WOW!!”  How many C-Levels would say that to a customer?  Probably not too many.  Eventually, our podcast also examined the Cyber Threat Landscape, what 2020 holds down the road.  We both agreed that one of the big, debated topics will be that of holding the CIO/CISO much more accountable, especially when it comes to communicating with his or her employees.

In fact, this topic has already started to hit the media waves, and there are already articles out there on the kind of conversations that employees need to have with their CIO/CISO.  So, what kind of talks should you have with your proverbial fearless leader?  Here are three hot topics to get started with:

*Should the IT Department and the IT Security Staff be one or two individual departments?

Quite surprisingly, according to a recent survey conducted by Kaspersky, almost 40% of the CISOs/CIOs polled believe that the two should be their own, separate entities.  Meaning, the IT Department simply focuses on new product roll outs, and providing tech support, and the IT Security team focuses on what they do the best: 

Beefing up the lines of defenses and thwarting off any attacks.  In other words, there is no interaction between the two, only when it is absolutely needed. In the survey, both the CIOs and the CISOs felt that by separating the two, this would give them a much better sense of autonomy and control and getting unbiased opinions and advice. 

But they also admitted that there is a flip side to this, and that in certain areas, close cooperation is required, especially when it comes the deployment of software and firmware patches/upgrades, and physical/logical access.  Also, if the two are separated, then the IT Security team will not be aware of any new product or application procurements, as they will need to be tested in a sandbox environment before they can be released into the production environment. 

Unfortunately, in the end, Cybersecurity workers are still often viewed as the “bottlenecks”, as everything has to have the security stamp of approval before it can go live to employees and customers.  So, what does one do?  Should you separate out your IT Department and IT Security staff into two different units?  This is the kind of conversation you need to be engaged with your CIO/CISO. 

If your organization is large enough, perhaps this could be a viable option.  But if you are small mom and pop operation (like me), this is probably not even a discussion worth having.  For example, in these instances, you would probably have just one or two IT employees, so how are you going to separate them out? 

A lot depends upon the unique security requirements of your business, and your teams.  Obviously, both sides need to feel comfortable about this, as there should be no further animosity between the two teams.  An option here would be to hire a vCISO, whose primary job responsibility would be to oversee the effectiveness of the independent, daily job functions of both teams, should you decide to separate them out.

*What kind of metrics/Key Performance Indicators (KPIs) should be used?

In the world of Cybersecurity today, it is hard enough to keep track of what is happening in terms of attacks and what looms out on the horizon in terms of future threat variants.  But to compound this, there are also other things that are evolving, especially when it comes to all of the techno jargon and metrics that are coming out.  Examples of this include the following:

*The total number of Security Breaches that have occurred over a certain time frame;

*The total number of Cyberattacks that have been blocked because of the preventative measures that have been deployed;

*How many patches and upgrades have been deployed on a regular basis (and what the success rate of that was);

*How long it took to detect a Cyberattack;

*How long it took to mitigate a certain risk;

*The downtime period experienced in the wake of a Security Breach;

*Etc., Etc. Etc.

As you can see, the list can keep going on and on, and the list will keep getting better, it will never shrink down in size.  Many IT Security managers feel that their CIO/CISOs time is too valuable, so they only report numbers to them. 

But even this can be overwhelming, and the truth of the matter is that, your CIO/CISO also needs to have some sort of context to support these numbers as he or she presents them to other members of the C-Suite, and ultimately the Board of Directors.  In other words, numbers only tell only one aspect of the story, you need to have the written content as well, which is where the qualitative analysis component comes into play.

This is especially crucial when your CIO/CISO has to present justification for more money in the Cybersecurity budget.  Thus, in this regard, it is very important to have in depth conversations with your CIO/CISO and see how these metrics should be presented to him or her, as well as to their peers and higher ups.  A great idea is to possibly make use of what are known as “Infographics”. 

This is where written content is married up to statistics and numbers making the use of visual cues. 

*The lack of a sustainable workforce:

There is no doubt that there is a severe shortage of Cybersecurity workers in the industry, and this gap is only expected to further widen in 2020.  As I scour the Cyber news headlines every day, there is always a story about how a university or college has started to offer a new degree program in Cybersecurity, or even putting up new bootcamps for those kids still in high school, in order to get them enticed into a Cybersecurity related career. 

But here is the truth of the matter:  There are great candidates out there, but they do not have a lot of requisite experience still yet.  Many CIOs and CISOs want only candidates who have been entrenched in the field for years, or there is fear in hiring less experienced candidates because once they are trained, there is the common belief that they could jump ship in a heartbeat.  In fact, according to the same study by Kaspersky, over 70% of CIOs and CISOs hold both of these views.  This is another kind of deep level conversation, that you the IT Security Manager, have to have with your CIO/CISO. 

You need to review how your current compensation and benefits fit in with industry standards, and what other steps you can take to keep your existing staff to the best of your ability.  This could simply mean that you may have to implement more employee recognition and award programs, in order to keep your IT Security staff motivated to do their best at all times. 

Also, you need to convince your CIO/CISO that there is nothing wrong in hiring a person with much less experience.  Of course, more time and resources will be needed initially to bring this particular up to speed, but what is wrong with that?  As I said, there are plenty of great talent out there, it just needs to be tapped into. CIOs and CISOs alike are going to have to take this risk if they want to keep their existing IT Security staff from being too overtaxed. 

Remember, the flip side to this is burnout.  If your employees keep putting in 15-hour workdays, they probably will not be around for a long time.  Also, keep in mind, the only way that the Cybersecurity workforce is going to shrink is if you convince your CIO and/or CISO to take this risk.

My Thoughts On This

Well, there you have it, the top three conversations you need to be engaged in with your CIO and/or CISO.  Remember, these are not just one-time conversations, you need to keep them continually engaged on a regular basis into these areas in order to see any results of them filter through. 

But also keep in mind that there are other, equally important conversations that you need to have with them, and this will be the topic for a future blog.

For more details about the Kaspersky survey, click on the link below: