(Kevin Townsend | SecurityWeek) - The only defense better than the expertise of one CISO is the combined expertise of many CISOs.
In recent years, closed CISO communities have increased in number and grown in size. They act as an information exchange, advice center, pressure valve, and safe haven from the critical oversight.
The need is obvious. CISOs occupy a unique position in business. Despite greater integration with business operations, they remain the only business leaders trying to counter active and adaptive threats; and yet they remain a role that is little understood by the rest of the business. The only other leaders capable of discussing their needs, grouses, pressures and adversaries are other CISOs (although 1001 product vendors claim they understand and offer expensive solutions).
CISOs need a channel to discuss work (and other shared problems) with peer CISOs. Since nature abhors a vacuum, CISO communities naturally emerged in a process that can be considered automatic autopoiesis (self-emergence and self-management). Despite the inevitability of such communities, the emergence was boosted by Covid lockdowns. Before then, and still today. CISOs would come together in small groups at major cybersecurity conferences to talk among themselves. This was no longer possible during the height of the pandemic, and these groups needed to find an alternative meeting solution.
Modern communication systems provide the obvious answer, but with a dramatic improvement from a small group of a few CISOs meeting once or twice a year to a community of potentially many hundreds of CISOs in constant communication.
There are now many different CISO communities in many different countries. Some are focused on vertical industry sectors, some are focused on geographical regions with different languages and /or geopolitical priorities. And they are all closed to outsiders.
Mechanism
The mechanism is simple and obvious with today’s technology. The favored channels are Slack (especially in the US), and WhatsApp (especially in Europe). The primary requirement is that internal conversations can be closed off and protected from the rest of the world.
The size of a community can be anything from a dozen to many hundreds of members, and they are often grouped around subject areas (vertical industry sectors) and geographic regions. In large groups, the conversations tend to be less sensitive, with sensitive topics confined to smaller groups. In some ways, the size of the overarching community is irrelevant – a sensitive topic can be raised, and only those interested can hive off into a separate group for the duration of the conversation.
Management is primarily by consensus. All systems need their admins; but a moderator is excluded. “It’s meant to be a bunch of peers collaborating, and to have someone with ‘approval’ rights for what does and doesn’t go live would simply be wrong,” comments a fintech CISO.
A community is no Wild West. The participants are senior executives with mutual respect for and trust in each other’s confidentiality. There is a code of conduct which may or not be codified, but the rules are primarily those of acceptable good behavior. Even the primary law of Chatham House Rule may or may not be formalized but is universally accepted.
It follows that a community functioning with a high level of mutual trust cannot be open door to everyone. Methods of admission vary between different communities. The primary principle is that communities are only accessible to CISOs – but that is not 100% maintained by 100% of all communities.
Some communities have a website, and candidates can apply for admission through them. In other cases, existing members can recommend other CISOs of good standing, requiring a combination of recommendation and endorsement.
Expulsions are rare, but can happen, as can organic departures. The communities seem less concerned about departures leaving with sensitive information than they are about ‘rogue’ sales-oriented CISOs trying to ‘sell’ from within the community.
The security ecosphere changes so rapidly that what was sensitive information last week is old hat this week. “Given the pace of change in security, that information would rapidly become irrelevant. So, I don’t see it as a huge risk, given the pace of change that we’re all under,” explains Jadee Hanson (CISO at Vanta).
The cause of expulsions is of more general concern. “What we don’t want is to muddy the channel with sales perspectives. No one wants to be sold to. Budgets are tight, and we’re all just trying to fight the good fight,” explains another member.
Hanson adds, “The main reason folks might get moved out of the community is if they’re CISOs who work for security companies, like I do, and they try to leverage the community for sales – that is a surefire way of getting removed from the community.”
Loss of trust in these communities that are built on trust is also a cause for concern. The Chatham House Rule is sometimes supported by a red flag system stressing that this information must not be shared outside of the community. ’Hey, this is red. This cannot be shared outside of this community.’ And if there’s somebody that finds out it was shared, that’s another reason why a person may be removed from the community.
Despite the concentration on CISO-only membership, there is one surprising element that can happen in some communities. Individual CISOs are strong on mentoring; and the communities are no different. “Aspiring CISOs or folk that are clearly on the path,” explains Trey Ford (former CISO, Americas at Bugcrowd and currently Chief Strategy and Trust Officer at Bugcrowd), “can be admitted so that we can invest in the future. These people need experienced others to give them a hard time over their resumes, help prep for interviews, provide feedback on presentation plans, and generally coach them.” This can be done through outreach from the community, or inclusion of the prospect into the community.
A safe haven for constructive conversation
“These are communities of trust, and communities of folks that all have an executive level of responsibility, and duty of care and loyalty to their employer,” comments Ford. “They are looking for perspectives wider than their own from other executives with the same responsibilities and at their own level.”
It follows that no discussion subject is off the table, but the subjects discussed are self-selecting. A member could raise his hand and say, “I’d like to talk about…” If there are no takers, the subject will wither. But if the subject is of interest or importance to others, those interested can hive off into smaller closed groups either within the main structure or to a separate structure. A single CISO can be a member of multiple communities.
Information sharing. Threat information sharing is obviously a primary purpose of the communities. Government sponsored groups (ISACs and ISAOs) already exist for this purpose but have not prevented the rise of closed CISO communities. The operational difference between the two approaches is indicative of the purpose of the communities and why they are so popular.
ISACs (information sharing and analysis centers) were created following a presidential decision directive (PDD) in 1998. They were designed to help improve the security of the critical infrastructure. ISAOs emerged after Obama’s Executive Order 13691 in February 2015. The latter are based on the former but designed to spread information sharing beyond the ISACs’ traditional sector specific remit.
While both the government sponsored organizations and the organic and spontaneous CISO communities both share a central purpose of threat intelligence sharing, they have few direct parallels – and the differences provide an education on the value of the communities.
Ford explains. “Trust between individuals is explicit. Trust between organizations is implicit. The legal and organizational effort required to create and maintain a government sponsored safe place constrains the trust level to implicit – company to company rather than person to person. But I can sit down for a beer or coffee with another security executive and we can talk explicitly and share notes on investigations or on problems or on failure modes or on a whole array of other things. We can talk about staffing, talent, a new breaking vulnerability, or how we’re responding to the latest log4j.”
This highlights another difference between ISACs and communities. There is always a latency between the ingestion of data and dissemination of information in any hub and spoke system (such as ISACs and ISAOs); but the communities offer almost real time actionable collaboration on information.
Hanson also highlights the combined value of personal trust and the immediacy of the communities. “It can’t come from a once a year ISAC meeting. But if you’re talking to people every day over Slack you get to know them.”
In short, it’s not an ISAC / ISAO or community question, it’s an ISAC / ISAO and community solution.
Mutual support. Support comes in several forms. It could be emotional or practical support in the aftermath of a critical incident; it could be advice on what to do next in the event of scapegoating. (“We don’t have to look far to see a Joe Sullivan or a Tim Brown and other evolving lawsuits and concerns in this industry,” comments one member.)
“If there’s something a community member wants to talk about, people make space for that, and they support one another through it,” adds Hanson.
Support is a primary function of the communities, continues Niels Hofmans (head of security & IT at Intigriti), “Being a CISO is a niche situation with a lot of unique challenges. You can find people with the exact same problem, or who have experienced the same challenges before.”
Advice. “Networking is also a big win,” suggests Hofmans. “Since we’re always with our heads in the trenches or placed in representative positions for our companies, it’s sometimes hard to speak freely about challenges in the field and personal experiences.” Product information is often useful, but while CISOs don’t generally trust opinions, they’ll take the views of fellow CISOs any day of the week. “Being able to share unfiltered opinions on vendors you’re happy about is so useful. It could prevent you from going all-in with a bad vendor and save you a lot of hassle,” commented one CISO.
Some communities have specific vendor technology channels where members collaborate on, troubleshoot and compare notes on different vendors and new products.
Job opportunities and staffing difficulties are also discussed. Sometimes a CISO will wish to move on to a position with greater responsibility and may even be considering a specific destination. What he or she may not know is the company concerned might have a history of burning through CISOs at one every year. That may not be bad, but the community will likely have insights on the cause – which could be bad.
Ford comments, “When you see, let’s say ACME Corp, from Wile E. Coyote and Road Runner fame, hiring their fifth CISO in six years, you must ask the question: Why? Is it a failure in their hiring process, or is it a leadership, sponsorship or organizational priority problem? So, if a member is considering this company, you can say, ‘Hey, go and talk to Jim or Jenny or Joe, who have all three worked there in the last five years. It’s a great way to get prior CISOs’ opinion when you’re thinking of changing jobs.”
Job opportunities and recommendations are not limited to the CISOs but can trickle down to their teams. Economic pressures and corporate mergers can lead to downsizing security teams – and being forced to lose exceptional and promising security engineers is a hard pill. Highlighting the upcoming availability to other CISOs who may have a relevant vacancy not only helps the fellow member but is an effective way of maintaining the skill level of the overall cybersecurity industry.
Mental health. Maintaining health, both for themselves and throughout their corporate teams, is a primary concern for all CISOs – the job cannot be done without a fully and highly functioning team. And yet doing the job is the primary cause of a major and growing health issue preventing people from being effective: more specifically, the mental health issue of burnout. Burnout is serious. It leaves the sufferer with an inability to concentrate on work.
This is not something that can be controlled by will power. Its development alters the way the brain operates. The causes can be multiple contributory factors, but by far the primary cause is continuous stress; and stress is almost the job description for working in cybersecurity. Ford goes so far as to call the work ‘almost Sisyphean’; that is, endless and futile.
CISOs do their best to watch for and prevent the onset of burnout in their teams. But who watches the watcher? No-one. “If I’m talking with my friends or my family about the stress of my day job, I’m kind of whinging, and they don’t really know what I do. But in these communities, we get it; it’s a safe place to have those conversations, to have those dialogs.”
One CISO from a fintech company makes the point that mental health is discussed, but not necessarily in the main channel (perhaps because the majority of CISOs are still men, and men don’t easily admit to or discuss personal mental health concerns). “But in small groups with beer in hand it’s becoming increasingly normal to discuss the personal stuff such as burnout, frustrations with regulations, admissions that you’re fighting with a threat you don’t understand, and so on.”
Hanson agrees that burnout is discussed, but “I don’t think it’s discussed in the general channel where everyone can see it – but once you build trusted alliances with other security leaders, it’s definitely discussed. We get it. We understand how challenging this role can be, and when we see someone struggling, we typically stand with that CISO. It’s a very community-first thing. Most of the stuff we talk about is work and challenging problems, and how different companies are solving difficult problems. But at the end of the day, the community cares deeply about its members, and so we are there for each other.”
CISO Communities
Communities are an interesting sociological phenomenon. They can be defined as a group with a shared purpose and identity coming together as a human system. As with all systems, the larger they become, the greater the need for some form of governance or hierarchical structure.
Anthropologist Robin Dunbar proposed that any community with more than 150 members requires a formal structure to manage its interactions. CISO communities can be 1000s in size – and yet, formal management and human structure are eschewed. Instead, this is provided by modern communications technology.
Small and specialist sub-communities can exist within much larger Slack and WhatsApp communities, with the technology assisting an informal and dynamic hierarchy. This maintains focused interactions without limiting the overall wider pool of knowledge available from a large community.
In effect, a single large community can include many smaller communities; and a single member can belong to multiple sub-communities all within the umbrella of the wider community. Interactions can be within very small groups, or even one-on-one conversations. The result is strength in numbers without losing focus on subjects – and the effect of these communities is to improve cybersecurity defenses and improve CISO effectiveness.
In short, CISO communities have become a secret weapon that helps to strengthen CISOs, improve cybersecurity defenses, and mitigate the effects of attacks from malicious adversaries.