Doing your diligence- CISO edition

Hello friends,

 Hope you are doing well and getting ready for the long weekend! This week we are featuring the first of a series of content meant for security leaders – helping them choose the right company fit with their unique skillset. 

And a friendly reminder- If you are a fellow Coloradan, please make sure to register and attend the Rocky Mountain Infosec Conference, which goes from Wednesday June 7- Friday June 9. I’ll be part of a panel Wednesday afternoon looking at trends in security jobs from the perspective of a recent entrant, CISO, bootcamp counselor, and recruiter (me). Should be fun.

Cheers,

Brad

Doing your diligence- CISO edition

Depending on your source, CISO turnover runs somewhere between 24 months and 4 years. Whatever it is, it’s high.

The reasons for job departure are quite common: burnout, feeling hamstrung by lack of resources, and misalignment with other departments (often IT). Sometimes the grass is just greener on the other side of the fence.

No company is perfect. But certain environments are a better fit for certain people. It’s okay for things not to be perfect (after all, if they were, we wouldn’t have jobs). But it’s not okay to be surprised by knowable things when you start a new job.

Oftentimes, this can simply be chalked up to a lack of diligence. We’ve written previously about the importance of asking questions and doing diligence upfront- in a general sense. Today we’ll focus on the questions at a potential CISO can ask specifically to judge whether an environment is a good fit.

Here’s what to do:

• Don’t be shy about asking questions- your diligence on the company is at least as important as their diligence on you
• Choose a few questions to ask to multiple people, to check for consistency (e.g. descriptions of culture)
• Talk to a couple of recent departures- find them on Linkedin
• Check out recent security department job postings to get a sense of needs, quality of JDs, breadth of expectations, competitiveness of pay
• Get data from friendly recruiters on compensation to ensure that the offer is in line with market
• Consult with an attorney on your employment offer and support your negotiation

What to ask about/ understand:

Think of this as a question bank; certain topics will be appropriate earlier in the process, others later; but you won’t likely get the chance to ask everything)

1) Fundamentals

• Budget, and recent budget growth
• Team size and turnover
• Contractor usage and any key external partners/ MSSPs
• Reporting structure
• Department structure
• Tech environment and scale (e.g. # endpoints, servers, cloud environments)
• Core infrastructure migration plans
• Work and location requirements (in person, hybrid, etc)
• Relevant compliance requirements

 2) Current program/ maturity

• Is there a top-down perspective from the board or management on target risk posture? If so, what does that look like?
• How often is security on the board agenda? What have those discussions looked like in the past?
• Is there a security framework in place (e.g. NIST)? What has recent performance been? What are the biggest gaps?
• What is the performance against compliance requirements? Where are the biggest gaps?
• What is the magnitude of the vulnerability backlog and patch management approach (frequency, prioritization, etc)?
• Has cyber insurance been a challenge? If so, why?
• What have the recent security program priorities been?
• How has the security program been measured to do date? What is going well? What is not?
• How would you describe the level of security awareness across the company? (check by key departments- development, executive)

What is the status of:

• IAM program (technologies employed, PAM, RBAC/ABAC/PBAC)
• Pen tests (frequency, severity of findings, whether they have been addressed)
• Asset visibility (what is used, presence and quality of CMDB)
• SOC (insource/ outsource, degree of coverage, ability to rapidly contain and remediate, etc)
• Resilience (DR/ BC in place? Degree of coverage? Time to recover?)
• Data (Understanding of what the most important data is, where it is, ability to discover it/ classify it)
• IR (Is a playbook in place? Is a firm on retainer?)

 3) Culture

• Company- What makes the culture of the company unique? What isn’t great about company culture?
• Team- is there an established culture in the security team? How is it different from the rest of the company?
• What are the qualities of leaders that tend to be successful in this company?
• How does decision making tend to work around here?
• Is there an established pattern for reporting out on the security program to leadership and the board? Who’s there?
• What did the previous CISO do well? What did he/she not do well? Why did that person leave?
• What would I be surprised by? What have you been surprised by (if they are a more recent hire)?
• What is security’s relationship with other key departments (e.g. dev, IT, legal, etc)? What is security’s ‘brand’ within the company?
• When big projects fail around here, what tends to be the cause?
• When people don’t work out, what are the common problems/ patterns?
• Can you talk me through a couple of prior security incidents- what happened, lessons learned?

 4) Mandate and resources

• 2 years from now we look back and it’s all been successful. How would you define success?
• What do you think needs to change most to get there? Do you have a sense of investment readiness?
• Does the relationship between security and the business need to change, in your opinion? If so, how?
• What is the company’s philosophy on pay, and competitiveness of pay on the security team?
• How does the company handle program/ project management? Where do those resources sit?
• What is the process for requesting new resources? The budgeting cycle? Ability to accommodate out of budget cycle resource requests?

In all of the above, here’s what you are looking for:

• What is known and what is unknown
• Consistency of answers from various people
• Transparency, willingness to acknowledge the challenges and flaws
• Expectations proportionate to resources
• Fit between your unique strengths and the company needs

Many thanks to David Casey for being a thought partner with me on this one. Happy hunting, all.

Tools, resources, and useful things from the internet

🤖OpenAI has published a blog calling for governmental cooperation and strategy around ‘superintelligence’- when the capability of AI far exceeds artificial general intelligence. It’s thought provoking.

💡Brilliant is an app for learning key data science and software development concepts. The lessons are bite size for consumption when you have downtime.

☄️I’ve opined before on the challenges facing cybersecurity marketers that lead to bad behavior in the industry. Here’s a great panel with several CISOs giving practical advice to security companies on how to improve, as well as an aweseome ‘ethical marketing’ pledge that Ross Haleliuk at Venture in Security is leading. Bravo.

🎧Check out the CISO Series Podcast, great reflections from practitioners on the work of security leadership and the relationships between security vendors and practitioners

News

🏛️The White House is seeking public comment and input on a national AI strategy. You can read the draft strategic plan here. And here are the questions that the White House is seeking comment on. (White House)

🕷️China is getting ready for a war in Taiwan by targeting Guam with highly targeted attacks. Here’s a technical breakdown from Microsoft on the methodologies employed by the Chinese APT group (Microsoft)

🎖️Timothy Haugh (currently #2 under Nakasone) has been nominated to lead the NSA and Cyber Command (Politico)

🦹An android screen recording app (irecorder) was injected with malicious code after it first appeared on the app store, and has been used to steal audio recordings and specific files (We Live Security)

👎Utah has released results of a fairly comprehensive cybersecurity audit, governing state, local, and educational. Results were pretty bad- this is probably telling of the SLED environment across the US.

🤖AI won’t be dangerous because it’s not connected to the physical world, right? Well, that didn’t last long. The first AI controlled robot is here, backed by our friends at OpenAI (FirstPost)

🔥We are starting to see interesting (and scary) disinformation examples created using AI. A story about a pentagon fire this week went viral (it was fake) (Washington Post)

🐢It’s not you. White collar jobs (including in security) are getting pinched by hiring slowdowns and lengthened interview processes (WSJ)

Jobs to check out

This week we are featuring well paying security engineering roles

💼Capital One. Director, Enterprise Security Architect (Several locations) $269-325K.

💼Snowflake. Principal Security Engineer/ Architect (Remote) $217-339K.

💼Airbnb. Staff Production Security Engineer (Remote) $200-254K.

💼Cargill. Cyber Security Architecture Leader (Remote) $200-225K.

💼American Specialty Health. Sr Information Security Architect (Remote) $173-215K.

💼Starburst. Senior Security Engineer. $170-200K.

💼Cisco. Lead Security Architect. $164-242K.

Events

💼Identiverse. Las Vegas. May 30-June 2.

💼BSides Buffalo. June 3.

💼Gartner Risk Management Summit. June 5-7.

💼ExploitCon Portland. June 7.

💼Rocky Mountain Infosec Conference (RMISC). Denver. June 7-9.

💼Secureworld Chicago. June 8.

💼BSides SATX. San Antonio. June 10.

💼BSides Boulder. June 23.