The average tenure of a CISO is between one and three years. Average tenure is so short because after a couple years of inability to execute on our vision, we give up with the excuse that “THEY” just don’t care. The primary impact of this churn is that cybersecurity programs must repeatedly restart thereby significantly increasing organizational risk.
How does this happen?
Well, we go through the motions:
• We develop a comprehensive strategy based on some standard;
• We present periodic updates to the Board and the Executive Management team
• We request and receive some level of budget
• We hire and retain an effective team.
I have done all of this. Though these things were and remain highly necessary, I found they were not enough to deliver the kind of program we needed. That realization – and an initial fail – lead me to understand what I really needed. What I really needed was four key elements.
A little bit about my organization. UMass Memorial Health Care,with three Hospitals across eight campuses, is the largest health care system in central Massachusetts. It is the clinical partner of the University of Massachusetts Medical School and has at its disposal all the latest technology, research and clinical trials. In addition to our hospitals we also provide home health and hospice programs, behavioral health programs, and community-based physician practices.
"Establishing a cadence for meetings helps to establish priority. Initially getting together every day seems to be the perfect formula to keep the focus where it needs to be"
Establishing a governance model is a critical step – you need somewhere to go to bounce ideas off the wall, have them vetted and receive support. What I discovered is that this model continues to evolve with changes to our internal and external environments
Importantly, you need a body that represents the entire business and can make decisions. Once the structure is established you should continue to funnel decision-making authority back to this committee. Don’t allow Monday Morning quarterbacking. The committee helps to prioritize work, for example, let’s assure that we fix operational issues impacting clinicians prior to changing their workflow. In other words, always address operational areas first.
Key point: Organizational decisions can’t be made in a vacuum.
Establishing a cadence for meetings helps to establish priority. Initially getting together every day seems to be the perfect formula to keep the focus where it needs to be. This approach is highly effective for short-term wins. I will admit that it becomes more challenging after that and most organizations – no matter how high-performing – find it difficult to maintain this meeting frequency long-term. The multi-disciplinary daily huddles were initially impactful & had to be adjusted after the quick wins were achieved.
Key Point: Focus can be achieved through frequency and clear messaging.
I must admit this was a subtle change. Having internal audit contract (instead of me) for a penetration test (or could have been audit or other assessment) go required the report to be delivered to the audit committee of the board, which is used to receiving reports that require management responses and action.
Tell a story: Which of these do you find more effective: showing a diagram of risks, red, yellow, and green, and talking about what we need to do or explaining thata pen test successfully compromised 80% of our passwords in less than 2 minutes. One of these is theoretical, the other is real.
When communicating with upper levels of management I’ve used a one-page graphic that details the issues in an easy-to-understand format. Always ensure that you’ve answered the key questions: What? So What, and Now what?
Key Point: Use existing structures within the organization to drive change.
To prepare the organization for change its necessary to overcommunicate the shared vision. This could be called “pre-suasion.” A telltale sign that you have effectively socialized an idea is when you begin to hear others say things you would have said. This process can be lengthy, in my organization, this process takes about nine months. I am proud to say this model is working even as I continue to monitor and tweak it from time-to-time.
Key Point: It takes a while – sometimes up to nine months!
Executive buy-in, a good strategy, budget and a solid team are necessary, but not sufficient.
You also need solid governance structure from across the organization with the ability to make decisions about the program that impact the entire organization.
You need to establish real priorities – those that will put your team on the right track to deliver the desired results.
You need to communicate effectively, especially through storytelling.
Socialize the changes well ahead – get help in telling your story.