How to Think Like a Pro CISO

(Chief Information Security Officer)

A CISO thinks strategically, not tactically. What does this mean in practical terms?

A CISO’s job is not to fix every single potential problem (which would be impossible anyway), but to solve the problem of how to enable functionality and maintain security. To that end, a CISO needs to allocate his time, money, and resources to focus on threats rather than try to patch every vulnerability.

Thinking strategically means understanding what critical data and business processes are, where they are physically located, and how to protect them from external and internal threats. In most cases, the internal threat is a well-meaning employee who has been tricked into revealing data or clicking on malware. I call this person “The accidental insider.”

In order to think like a CISO, you need to start with the critical information, and then defend it against the most likely threats in the most cost-effective way. If you can do that, you will be a successful CISO.


In this episode:

  • 0:08 Welcome
  • 1:03 Always ask “what is the problem you’re trying to solve?”
  • 4:28 Also ask “are we using everything we have” to solve our problems?
  • 5:25 Let the need drive the decision, not the coolness factor
  • 5:48 The Dr. Cole Magic 3
  • 6:53 1: What is the risk?
  • 7:12 2: Is this the highest priority problem?
  • 8:12 3: Is this solution the most cost effective way to solve the problem?
  • 9:02 Always come up with 5 options
  • 11:03 Magic 3 review
  • 12:45 What is the mindset a CISO should have?
  • 14:12 threats and vulnerabilities
  • 16:25 a vulnerability only exists if there’s a threat
  • 18:12 The threats drive the risk calculation
  • 20:38 What is the physical location of the data?
  • 21:25 What are the critical threats?
  • 21:45 Once you understand that, what are the threats to that business process?
  • 22:42 The 2 categories of threats: external and internal
  • 23:40 The accidental insider
  • 27:44 review: start with critical information, defend against threats
  • 28:14 Stap 3: What vulnerabilities exist that allow these threats to cause harm?
  • 29:21 The mistake we make is skipping to step 3
  • 30:21 Don’t trust the scanner without understanding the the threat matrix
  • 31:00 How to think like a CISO
  • 31:57 Wrap up