cybersecurity leadership effectiveness using the mckinsey ... · the “cybersecurity leadership...
TRANSCRIPT
Cybersecurity Leadership Effectiveness Using the McKinsey 7S Framework
Todd Fitzgerald, Managing Director/CISO
CISO Spotlight, LLC
Cybersecurity Leadership Author
ABSTRACT How do we know if the CISO's security program has accounted for all the components to be effective? This session draws on the work in the 1980's by 2 McKinsey consultants (7-S Framework) and applies it to building and sustaining the cybersecurity program to ensure we have accounted for strategy, structure, systems, skills, style, staff, and shared values. We will look at each of these components. Each of these 7 areas are detailed in a comprehensive leadership roadmap in the new book CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.
2
Table of Contents
EXECUTIVE SUMMARY ............................................................................................................ 3
INTRODUCTION ...................................................................................................................... 4
THE CISO EFFECTIVENESS AGENDA.......................................................................................... 5
CISO EVOLUTION DISCUSSION ................................................................................................ 6
7-S MODEL APPLIED TO CYBERSECURITY LEADERSHIP ............................................................. 7
CYBERSECURITY LEADERSHIP DEVELOPING STRATEGY/EXAMINING EMERGING TECHNOLOGIES AND TRENDS .......................................................................................................................... 8
CYBERSECURITY LEADERSHIP ORGANIZATION STRUCTURE/REPORTING MODELS ...................10
CYBERSECURITY LEADERSHIP SYSTEMS (PROCESSES AND ROUTINES) .....................................11
CYBERSECURITY LEADERSHIP SHARED VALUES .......................................................................12
CYBERSECURITY LEADERSHIP SKILLS, STAFF AND STYLE, FINAL THOUGHTS .............................14
ABOUT THE FACILITATOR.......................................................................................................15
3
Executive Summary The “Cybersecurity Leadership Effectiveness Using the McKinsey 7S Framework” learning lab was comprised of 64 senior-level information security/cybersecurity leaders interested in building effective strategies and cybersecurity organizations to protect their company’s information assets. The workshop leveraged the research used to create the new 2019 book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, which provides an innovative approach to examining the security leader’s job by combining the McKinsey 7S management framework for organizational effectiveness and activities and the issues dealt with by the CISO or senior security leaders.
The workshop covered the 7 factors of the McKinsey 7-S framework, oriented towards ensuring ‘organizational effectiveness’ and the 13 different aspects the CISO deals with daily, such as developing a strategy, selecting control frameworks, leveraging incidents, privacy and data protection, managing a multi-generational workforce and reporting to the board. Clearly, 2 hours could only touch the surface of each of these components, each explored further in the book (this material has also been offered as a 1-2-day workshop and semester course in other venues).
It was clear that the attendees were very engaged in the process and were leveraging the contributions of the other participants. These learning labs are very beneficial as many topics are explored in a short period, helping the participant to focus on those areas needing more attention after returning to the office.
My hope is that the materials provided to learning lab participants help in exploring the concepts on a deeper level as necessary. Further information about the 7-S framework and the new CISO COMPASS book may be viewed through the RSAC-TV Interview at https://www.rsaconference.com/videos/ciso-compass-cybersecurity-leadership-effectiveness-using-the-7-s-framework
4
Introduction
5
The CISO Effectiveness Agenda Each of the 7 factors for the McKinsey 7-S framework were discussed through their application to the business of information security/cybersecurity, also named by the facilitator as the 7-S Framework applied to Cybersecurity Leadership. Instead of developing a ‘new framework’ to examine the completeness of the CISO activities, there was already a model for ‘organizational effectiveness’, so why create a new model? Hence, the orientation of the 7-S framework to the areas the CISO should pay attention to are mapped and were discussed as follows:
No Agenda Item
1 Introduction –
2 CISO (Security Leader) Evolution
3 7-S Framework Applied to Cybersecurity Leadership
4 Cybersecurity Strategy - Developing Cybersecurity Strategy - Emerging Trends and Technologies
5 Cybersecurity Structure - Organization Structure - Reporting Models
6 Cybersecurity CISO Systems (Processes and Routines) - Leveraging Incidents - Security Control Frameworks - Risk Management
7 Cybersecurity Shared Values - Laws and Regulations - Data Protection and Privacy - Policies and Procedures
8 Cybersecurity Staff - Multi-Generational Workforce Dynamics
6
9 Cybersecurity Skills CISO Soft Skills
10 Cybersecurity Style - Reporting to the Board
11 WRAPUP
CISO Evolution Discussion
The session started with a discussion of the evolution of the Chief Information Security Officer (CISO) and what we can learn from the past 25 years of the CISO. CISO is a term that describes the most senior information security individual within the organization, which may be at the manager, director, vice president, or executive level. It is important to understand the history to understand the current environment we are operating in and the issues which must be addressed.
The discussion also included individuals discussing their own experiences and where they viewed themselves in terms of operating within their organization. In other words, which of the 5 phases were they spending most of their time. While each security leader spends time in each of these areas, as they are cumulative (i.e., each subsequent phase includes the activities of the prior phase), many CISOS in the group seemed to go back and forth between phases 3 and 4. The 5 phases are as follows:
7
7-S Model Applied to Cybersecurity Leadership The model below was used as the basis for discussing in more detail each of the components of the 7-S framework (strategy, structure, systems, style, staff, skills, and shared values).
8
Cybersecurity Leadership Developing Strategy/Examining Emerging Technologies and Trends Each of the ways to develop a strategy were discussed and plotted on charts, along with the type of CISO. The results were mixed across the group, with some executing bottom-up strategies and some top-down strategies. Both strategies are fine. For example, an organization just starting to shore up infrastructure gaps may be focused on a bottom-up approach utilizing frameworks such as the CIS controls, while an organization deploying a global common language with top-management support may be executing a top-down strategy utilizing ISO27001/2.
Source: T. Fitzgerald, CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019, Auerbach Publications)
9
10
Cybersecurity Leadership Organization Structure/Reporting Models The group was very engaged as we role-played the different reporting relationships and interactions between key members of the management team. While many of the group reported up through the CIO organization, we discussed the need to more the role outside of IT, but there were also reasons why the relationship could work while building a program. The following is one of the graphics discussed showing the pluses and minuses of each role… as each role has them.
11
Cybersecurity Leadership Systems (Processes and Routines) The systems discussed in this context are not IT systems, but rather the routines and processes used by the CISO to complete their job. In other words, what are the tools of the CISO? These are at a higher level than the cybersecurity tools such as anti-virus, firewalls, security analytics, vulnerability scanners, encryption, etc. These tools are represented by leveraging cybersecurity incidents (own and that of others), control frameworks, and risk management practices. It was clear from the workshop that CISOs do
12
not spend enough time examining the detailed reports after an incident has occurred of others, whereby valuable information can be gleaned.
Cybersecurity Leadership Shared Values
The shared values are those values that define the culture of an organization. In the cybersecurity context, there are 3 areas that should have a significant influence on the shared values – these are 1) Laws and regulations, 2) Data protection and Privacy, and 3) the establishment of meaningful policies and procedures. Workshop participants were subject to several of the laws and experiencing the rationalization of the security controls to meet these laws, as well as having to understand the security profiles of their vendor profiles. We agreed that all the participants were subject to the privacy laws,
13
which we reviewed the 8 OECD principles that the privacy laws are based upon. Below are some of the laws and regulations, and we also reviewed about 20 control frameworks and privacy law components.
14
Cybersecurity Leadership Skills, Staff and Style, Final Thoughts
We discussed the skills of the CISO, 4 different generations in the workforce and the implications, and reporting to the board of directors. While a board interaction exercise was planned, the workshop participants were so engaged, we did not have time for this activity, which may be a workshop all on its own in the future, along with structuring the CISO organization.
The CISO is a complex, necessary role within the organization and each touchpoint holds the possibility for success or conflict. In the end, the group ranked the importance of each of the CISO activities, and as expected, the importance varied of each of the 13 areas the CISO must address within the 7-S framework varied based upon the challenges of the CISO. In the end, all must work together for an effective organization and can be used as a tool to assist the CISO for the best place to put the ‘cybersecurity energy.’
15
About the Facilitator
Todd Fitzgerald Managing Director/CISO, CISO SPOTLIGHT, LLC
Cybersecurity Leadership Author
Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored 4 books- CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019), Information Security Governance Simplified: From the Boardroom to the Keyboard, ground-breaking CISO Leadership:
Essential Principles for Success, E-C Council Certified Chief Information Security Officer Body of Knowledge and contributed to a dozen others. Todd held senior leadership positions at Northern Trust, Grant Thornton International, Ltd, ManpowerGroup, WellPoint (Anthem) Blue Cross Blue Shield/ National Government Services, Zeneca/Syngenta, IMS Health and American Airlines. Todd frequently speaks at international conferences, provides keynote presentations, conducts security leadership workshops, participates on advisory boards and writes about current cybersecurity issues. Todd can be reached at [email protected].
