EXPERT ADVICE
CSO: One Tough Job

Ever heard of Themistocles? In case you haven't, it's a tragic story.

Themistocles was an Athenian statesman and general who lived around 500 B.C. He was one of the leading political minds of his time, and perhaps one of the most brilliant military strategists of his -- or any -- time as well. As a direct result of his actions, Athens became the largest center of commerce in Greece and it's arguable that his policy of naval superiority ultimately lead to the establishment of the Athenian Empire. He was, without a doubt, a hero -- a man of cunning and intelligence, a born leader and exemplary strategist.

But the tragic part isn't his brilliant military and political career. Instead, the tragedy is what happened to him after. You see, the Greek system at the time had a process called "ostracism" wherein any citizen could be banished at any time for a period of 10 years -- you didn't have to commit any crime to be ostracized; it happened automatically if the citizens voted it so. And Themistocles, while brilliant, wasn't a popular guy.

He was kicked out of Athens in disgrace, his property was confiscated, and he was ultimately declared a traitor. It was a tragic end for someone of such great ability. But in the end, Themistocles didn't win or lose as a result of his ability -- instead, it was his failure to win the support of his peers that sealed his unfortunate fate.

An Unpopular Job

Which brings me to my point. Security professionals (CSOs, security managers, CISO's, etc.) can learn quite a bit from Themistocles' story. Specifically, it's not enough to do your job well -- you have to win support as you do so. And winning support is harder than you might think.

Running security in an organization of any size is like walking a tightrope -- there's a razor's edge between being effective and building the consensus that will allow you to stay relevant in the future. If you're doing it right, your job sometimes involves saying "no" to things -- things that your peers might be highly motivated to do.

Your job can involve telling the application folks that they can't implement a new release when there's a serious security issue; it can involve telling the system folks that there are security problems in the systems they manage; and -- depending on the policy in your firm -- it can involve telling employees that they can't use their mobile devices in the office. Nope, it's not always a job that helps you win friends.

And as we know from history, the winning friends part is important. Just like Themistocles, a CSO that can't build consensus is dead in the water. If the business and technologists see you as a roadblock, they'll go around you to get their own jobs done and they'll leave you out of critical decisions. If you're always saying "no," you'll soon find yourself alone and out of the loop. But conversely, say "yes" too often (or to the wrong things), and you'll find yourself with the opposite problem: a boatload of friends -- in an environment rife with security problems. Either extreme is disaster.

Objectivity Breeds Respect

So, how do you strike the right balance? How can you get the support that you need while still making sure that you're being effective? One strategy I've heard time and again from successful shops is that the key is to cultivate respect. You can dislike someone but still have respect for them (ask almost anybody in basic training). And to cultivate respect, some CSOs borrow a page from the law enforcement playbook.

The Rule of Law posits that only laws appropriately disclosed and objectively enforced can provide evenhanded justice for the citizens that live under that law. Objective laws mean that the same rules apply to everyone in equal measure. Ideally, under the Rule of Law, citizens respect the authority of law enforcement not because they have any liking for the fuzz, but instead because they know the rules ahead of time and they have decision-making authority over whether they uphold those laws or not. That doesn't mean we're thrilled every time we get pulled over for speeding, but if we were legitimately speeding and we got caught -- well, we chose to speed. We might not like the cop that pulls us over, but we respect his authority to do so. And if we really weren't speeding, there's due process -- we can go to court and make a case that we were pulled over incorrectly.

By analogy, if we strive to implement security in our organizations according to an objective standard, we can make sure that when we have to say "no," that it's fair. If our policies are well-published and we objectively enforce them throughout the organization, when the time comes to put the foot down, people know it's not personal. Folks might not be happy about it, but -- like the cop -- they can't blame you for doing your job.

Those CSOs who take this approach also implement a review process -- maybe management review of the circumstance in question or maybe a forum that meets to discuss the issue -- for times when folks think they've been unfairly treated. This way, folks in the organization have recourse from a fair hearing when they don't agree with how you've applied the policy to their particular circumstance.

Of course, for this system to work, the way that policy -- especially security policy -- comes into being has to be objective as well. Ideally, the policy should result from an objective (maybe even quantifiable) assessment of risk. Stakeholders from the organization should have input into the risk determination process so that the ultimate firm-wide policy is one that they themselves had a say in creating, based on the same data as everyone else.

Make Your Pitch

But objectivity is just one side of the coin. An objective system will help make sure you have the respect when people interact with you, but it isn't going to get you involved in what they're doing. A CSO also needs visibility -- you need to advertise. It's one thing to have a completely objective system, but if nobody knows about it, let's face it, you're irrelevant. And the way to do that is to get -- and stay -- involved.

The folks in your business have a lot on their plates, and reaching out to you probably isn't the first thing on their agenda. Sure, they might know they should, but they've got enough to do as it is. To earn their attention, you need to reach out to them. If you establish yourself as someone who can help them, they'll come back to you time and again as their trusted ally.

By being on their radar as they move their own tasks forward, you have the opportunity to advertise security by being vocal with your business and technology peers about your goals and how you plan to reach them. This gives you that visibility that you need to cement a relationship with them for the future.