In this blog post, Aaron Kraus, Zeguro’s Director of Cybersecurity, shares some tips & tricks to get the most value out of the CISO Mind Map for your business.
If you’ve never heard of it, the CISO Mind Map is a fantastic tool published by Rafeeq Rehman. Published annually, the Mind Map can help not just cybersecurity leaders but all business leaders understand the far-reaching impacts of cybersecurity to their business.
Think you’re not a business with cybersecurity concerns? Think again - all businesses that use, generate, or store data (read: basically every business in existence) need to consider cybersecurity, and cybersecurity leaders in any size organization can use the Mind Map to help flesh out their role and responsibilities.
In case the acronym is unfamiliar, CISO stands for Chief Information Security Officer. In this fast-paced business environment “Information Security” or “InfoSec” is largely being replaced by the term “cybersecurity”; regardless of semantics the CISO is the person charged with ensuring a business’ data and operations remain secure.
The CISO Mind Map is a visual organization tool that captures the relationships between the CISO (or equivalent role with cybersecurity responsibility) and the rest of the business. It can be thought of as a visualization of the CISO’s sphere of influence - and most importantly, it illustrates the crucial role that cybersecurity, like IT before it, plays in all aspects of today’s business.
Over time the Mind Map has expanded from a simple star diagram showing a few areas of IT security-related responsibility to the current web showing the key role cybersecurity plays in all areas of the business. Looking at this year’s Mind Map, the Security Operations node shows the items most of us associate with cybersecurity, but there are other important areas where the CISO should either be consulted or is actively required for input. These include Project Delivery Lifecycle (often thought of as DevSecOps), Business Enablement (providing IT services that function securely), and Legal/HR and Governance (each of these is often its own business unit or responsibility area, but there are obvious bidirectional relationships between each and the cybersecurity team).
The Mind Map isn’t just an interesting overview of a CISO’s job. The two use cases below demonstrate how you can use it to your advantage as a cybersecurity practitioner; of course your mileage may vary and some elements may be more/less applicable to your particular business.
1. Guiding CISOs with their responsibilities.
Each high level node in the Mind Map represents an area that you as the chief cybersecurity practitioner need to consider. Many of these practice areas, such as Security Operations, will be under your direct purview, but many of them will either belong to someone else (HR and Legal usually have their own key personnel) or are a high level collaboration (Risk Management and Business Enablement).
For items under your direct purview the path is clear: you control how your business is going to implement threat detection, for example. You’ll most likely have your own budget and relative freedom to make your own decisions on matters such as which anti-malware tools to use, or what cloud audit service you’ll be using.
Relationships and shared expectations need to be established for items out of your direct purview, as your options to dictate other people’s job responsibilities are usually limited. Background checks are a great example: the head of HR is usually in charge of this area, so you need to establish a good working relationship with that person and make sure your requirements, such as employment/credit/criminal history are met by the HR processes.
The collaborative items are going to be the trickiest, because they represent high level business processes where politics, silos, and other bureaucracy can come into play. Corporate risk management needs to be run by the very highest levels of the organization and take input across the whole business. Cybersecurity risk will obviously be represented by the CISO, while a COO might be charged with identifying and reporting on operational risks. Where do operating regulation requirements, such as for PCI-DSS or SEC, fit? The answer is really both of those teams, which requires close collaboration and also executive decision-making power to prioritize the correct risk-based action plans.
2. Communicating cybersecurity to other C-level executives.
It’s the CISO’s job to communicate and champion their position/responsibility, and the Mind Map can be a useful tool to do that both on your team and to the rest of the business. Despite “let me paint you a picture” being a derogatory statement, visual aids are incredibly helpful communication tools, especially for complex information like the bidirectional flow of information between the legal department and cybersecurity working through contract language.
Business processes like IT and cybersecurity can often become messy because they really underpin the entire functioning of the business. IT often gets dragged into battles where an information system isn’t really the issue, but a business process supported by the system is. By clearly defining roles/responsibilities around shared areas like Project Delivery Lifecycle, you can enable the rest of the business to move quicker, because they know what they’re on the hook for vs. what the cybersecurity team provides.
As an example, you may say that defining security requirements for software development is owned by the Engineering team (they’re responsible), but the Cybersecurity team must be consulted before requirements are handed over to developers. In this case, whoever manages requirements should have a clear process for consulting the Cyber team as part of the requirements process, and the Cyber team can set clear expectations.
As a CISO or equivalent cybersecurity professional, it can feel like there’s an infinite amount of work to be done and not enough time, resources, and people to accomplish it all. While the CISO Mind Map can’t do anything to make the workload smaller, it does at least help you figure out what should be on your to-do list, and also gives you a great tool for communicating complexities like Cybersecurity requirements for HR/Legal teams and how those teams address the requirements.