Communication is important for a CSO. Most importantly, CSOs need to communicate with the company’s business leaders to find out which systems matter most to them. This includes the other chief executives, but also can include the lead management figures of sales, marketing, and other departments in the company. By knowing what is important to your company leaders, CSOs can think about security in a business context and focus on protecting those systems that the business needs to operate. By talking to senior management and the VPs of other departments, CSOs can rank business systems in order of importance to the company’s business process and figure out what systems warrant the most attention and budget. While end users will always make mistakes and cause security incidents, that is no reason to take shortcuts or procrastinate when it comes to their training. As soon as employees are hired, educate them about acceptable behavior on company machines, common risks (give an example of a phishing email), what to do in case they suspect a security issue, and what the consequences are if they fail to follow security policies set forth by the company. Allow employees to complete the training at their own pace online, and inform them of an incentive for doing so and a consequence for not doing so. Training can be done as needed, but should be done at least once a year for all users. Track progress and results to present the effectiveness to senior management and to justify training frequency. If training occurs 4 times a year due to users not “getting it”, change things up and show your results to prove what you’re doing has worked! While it would be nice to never have any incidents, the reality is that it will eventually happen. Have a detailed incident response plan prepared and reviewed/approved by senior management, and make sure it includes who to notify of an incident and when – once a situation introduces potential corporate liability, other people such as the General Counsel and the CEO need to get involved. Who is notified and when will vary on the organization, but be sure to include law enforcement in your considerations. Follow the plan closely during incidents, but deviate if necessary. If your security team deviates from the plan, make sure they record a full explanation as to why the plan wasn’t appropriate for the situation. Train your security team on the incident response plan, and talk about reasons they may need to deviate from the plan in order to protect the company. Make sure your team knows they need to do whatever it takes to contain the issue, and they may have to decide whether to follow the exact plan in the moment, without time to get management approval. This is why team training is especially important. The CSO may take heat or receive praise for choices made to stop an incident, and strong team training ensures CSOs are prepared to stand behind the actions of their security team. Any response should be carefully documented and explained. CSOs risk the potential to become scapegoats for not being able to justify their actions during an incident, and this can happen due to not following the incident response plan or following one that no one else in the company knew about. Above all, they need to be honest about what happened, what is being done to contain the situation, and how bad it looks – doing this from the start can save a CSO’s credibility and prevent later accusations that the CSO didn’t properly communicate during the incident. To learn the entire 12-step process to being a Pragmatic CSO, visit Mike Rothman’s website: http://www.pragmaticcso.com/
