I have written about Craftsmanship in the past and after talking with CISO Alex Hutton this was emphasized even more.
The importance of IT Ops and Security being run as a craft is important because most CIOs and CISOs feel that their biggest value unfortunately is when there is a problem (data breach, failure of a system, etc.)
Alex Hutton he says that one of the most important jobs of the CISO is bedside manner and crafting how the business consumes you through your product which is your reporting.
Alex Hutton is currently Director of Operational Risk at a large bank. Prior to this, Hutton has been an entrepreneur involved with several successful startups. He served as CEO for Risk Management Insight. He served as a principal in the Risk Intelligence group for Verizon, involved in the development of the VDBIR. He is an avid security blogger, speaker and conference organizer. He brings a wealth of knowledge and experience on risk management and metrics to any discussion. He is a passionate and experienced public speaker.
Important Ideas from this Episode that I think you will find very helpful
How a “Next Gen” CIO/CISO can be a Craftsman?
How does the business consume you?
Complexity management through micromorts and the probability of death
Being aware that how business consumes me is my bedside manner?
Do Your IT Sec Metrics Pass the Sniff Test?
Do You Feel Important Only When You Screw Up?
Your Reporting is Your Product – Why?
The most important metrics are money and time
How much support does CISO need from IT Ops
- What is your management capability to manage complexity?
Sniff test – Confluence of Risk Management + IT Operation + IT Governance
Sloppy shops make for data breaches
Use the “Scorecard Sniff Test” – this is the 10 second rule in that if a person who is non-IT Security can’t understand ‘What needs action or discussion’ with your graph in 10 seconds the re-do your presentation
Gene Kim – The most successful shops are run by military or ex-audit
Following a well-defined process makes a huge difference
CISO ideas for a reporting structure
Governance, without measurement, is Dogma
Governance, with measurement, is risk management
Resources Mentioned in the Episode
- IT Process Institute
- Society for Information Risk
- Gene Kim
- Verizon – DBIR – Data Breach Information Reports
- Stephen Few – Great Reporting – Studies on how people consume information
You can see his speaking and presentations from previous RSA conferences here
You can follow him on twitter here
All methods of how to access the show are below:
- Listen on iTunes (for iPhones etc.)
- Listen to it on Stitcher (This is for Android Phone Users. Download the Stitcher app here)
- Stream it on Libsyn
- Listen to it on Soundcloud (This is for listening via PC/Mac Browser)
- Please subscribe here to Bill Murphy’s Redzone Podcast on iTunes.
- Subscribe to my RSS Feed here.
- Link to LinkedIn blog post
If you enjoy the show, you can help us out by leaving a review on iTunes. Here’s How!
Below are some segment notes that you will find interesting.
- The career path of Alex Hutton [5:20]
- Alex Hutton – Technologist at heart, or more business oriented? [8:25]
- Interpreting IT Security as facilitating profit [9:27]
- “We forget that we’re being counterbalanced with, as an expense, with revenues.” [10:31]
- The relationship between IT Security and Executive Forecasts [10:42]
- Securing versus being Secure – risk management on the IT side of the business [13:28]
- “Part of that forecasting is also knowing your capability to manage” [15:29]
- The Micromort analogy – the importance of ensuring the quality of IT Operations for the CISO [15:47]
- “There isn’t strict data on this, but the impressions that we always got were that sloppy shops make for data breaches” [18:14]
- Where would someone start to understand the necessary pieces to manage? [19:23]
- What is the optimal CISO reporting structure? [21:47]
- Jiro Ono’s Sushi Restaurant – bringing art into IT Security [24:01]
- “A lot of CISOs I know will admit the only time they’ll ever really feel important is when they’ve screwed up somehow” [25:30]
- “What I realized is that how the business consumes me is my bedside manner… I have to develop a good bedside manner to inspire these folks to understand that they need to meet all of our requirements as an organization, not just the functional requirements out of the software” [27:17]
- IT Metrics – Quantitative information designed to tell a story [28:15]
- IT Metrics – Adding a Time and/or Money component to deliver more meaningful data [32:08]
- Resources for extracting probability factors for IT Security Risk [34:06]
- How can a CISO have integrity moving forward? [37:06]
- The Scorecard Sniff Test [39:04]
- “This better be appetizing at the first glance – it better make somebody’s mouth water, or else it’s just not good enough to present to the consumer” [43:24]
- Where do you see the vision of an IT leader looking to in the future? [44:19]
To participate in discussions about these topics and others join our CIO Group on LinkedIn.
Bill is dedicated to your success as an IT Business Leader. Sign up/Subscribe for weekly podcast, CIO Mastermind and CISO Mastermind updates delivered to your inbox easily and effortlessly: Follow Bill on LinkedIn and Twitter.
Leave a podcast review here