Imagine someone running while juggling many different things, hoping he doesn’t drop anything.
Serco’s Garrett Smiley says this would be an accurate description of the demands on a CISO.
The job has taught him that achieving perfection is next to impossible. “There is always more work than there are people doing work, and the work continues, and the headcount does not increase.”
The situation, however, has led Smiley to learn to weigh the work that needs to be done against other tasks. “If I do this instead of that, will my organization’s overall posture be more secure, or less secure?”
“In the end, you realize that everything is a tradeoff.”
It was more than two decades ago when Smiley was working for a retail management firm that he decided to switch to IT. He found himself compiling helpdesk answers for common Point of Sale (POS) problems because those whom he asked were just looking up information elsewhere.
“And so, I asked myself – ‘why am I not doing this for a living?’”
Smiley went back to school and studied IT. It was the early-2000s. Eventually, across several organizations, he took on the roles of project manager, network engineer, and solutions architect. “All of these experiences translated nicely to information security,” he says.
Taking on a myriad of roles allowed him to form an understanding of the layout of the organization. “Systems. Workflows. Overall solutions. Because you can’t really secure something if you don’t know what it is, or how it works.”
Critical thinking skills are always ideal, he says, because they allow people to solve problems all in the context of the vision, mission, and goals of the organization. “What information security means is that you help people accomplish their mission in the most secure manner possible. That is what enabling is all about.”
Being a CISO at a company that works for the government, Serco needs to safeguard government information, whether it’s classified or unclassified. “Just because something is not classified does not mean it is not sensitive,” he says. “We have to be very vigilant. However we store information that we receive from the government, we should ensure that the controls are in place, maintained, and effectively doing what we think they are doing.”
Then again, the company itself deals with other organizations that supply it with other services, compounding the risk.
“We do due diligence, and we have to make sure that those vendors are doing their due diligence as well. It involves technical and non-technical controls. My job is making sure all moving pieces are receiving the appropriate governance they need. That’s easy to say, but difficult to do.”
Getting to know suppliers takes a lot of work, and sometimes it is costly too. “You can have an external auditor if you don’t want to rely on the questionnaire that they accomplish themselves.” Of course, someone has to foot the bill for these investigations. Who bears the brunt of these extra costs?
“The long and short of it is that the government is saying, ‘we’re giving you this data, you must put the same security controls in place that we are putting on our systems.’” The challenge with that is that there obviously is an associated cost, but then and so in any relationship both parties are trying to push the liability and the material impact to each other. There will always be a push and pull.
“I am having to come up with answers, solutions, and processes where quite frankly there really isn’t an established norm in the industry,” he says. And it’s all economics, really. “I have yet to come across a system has a limitless budget. So, we’ve been working with what we have. Do the most you can with what you are given,” he says.
Reaching across the aisle
Smiley is aware that his objectives as CISO may not necessarily be similar to the goals of others in the organization. There is a different set of deliverables for the CEO, for instance, or the CFO, or the CIO.
“My job is to make sure that whatever we do, we do it in the most secure way possible. I get behind the things I think provide the most value to achieve this. But I don’t expect everybody to think that what I do is the most important of all.”
Still, while Smiley knows that separate missions of various departments are not in perfect alignment, he tries to build rapport with the others. “It’s just people being people – if you fight for what is important for them, they will fight for what is important for you.”
When a relationship is built and maintained, people will go along with you even you have to do the hard things, rather than say “I have no personal interest in that.”
A CISO makes sure the organization understands security-related risks and what can be done to reduce them. “The only way you can do that is if you reach out to people in different departments and work with them.”
He likes to think of the CISO as a consigliere – somebody to give advice or get consulted. “Not all my suggestions have been acted upon, but if I am doing my job well, I have an audience that will hear what I say. If I build rapport, they will at least consider it. They may not act on it, but they will hear me when I talk about risks, chew on it, and make it a factor in the decisions they make.”
An elephant-eating fly
Smiley says he is fortunate to have a security staff that knows what they need to do and how to do it. “We have an extremely well-established work flow and cadence. They are very thorough.” He knows some CISOs managing an international staff 24/7 – and they have a much more challenging personal life.
On weekends he does the usual dad things – indoor trampoline, water park – with his kid. When he gets more free time he works as a part-time dissertation adjunct.
Through all this, Smiley has learned to live with the fact that one never has enough time and people to do everything one needs or wants to do. The question instead is, how effective are you at prioritizing?
“What I learned is that you just focus on one area and then move to the next. It’s like a fly trying to eat an elephant – don’t get stumped by the big picture. You just try to tackle the areas where you think you will realize the most value, using people, tools, and tech to carry that process out,” he says.
“Once you get a steady battle rhythm, you can move on to other things.”