Building and Executing a Winning CISO Strategy

How can a government CISO get executive buy-in to obtain authority, autonomy and budget? What are the keys to success in the public sector? What are examples of important cybersecurity projects that are ongoing in major U.S. cities like Atlanta? Here is an exclusive interview with former Atlanta CISO Taiye Lambo.

by Dan Lohrmann / September 11, 2016

Where can government executives go for case studies that point the way in cybersecurity?

Over the past decade, I have lauded the many benefits of working with the National Association of State Chief Information Officers (NASCIO), the Multi-State Information Sharing & Analysis Center (MS-ISAC) and the National Governors Association (NGA) on cybersecurity issues and solutions. But many people continue to ask me, are there any recent examples or case studies you can point to?

Which leads me to this interview with Mr. Taiye Lambo on what’s happening in Atlanta.

A quick glance at Taiye Lambo’s LinkedIn profile will tell you a few important career highlights such as:

Lambo was the chief information security officer (CISO) in Atlanta from March 2015 until July 2016.

Lambo has a long list of professional certifications, including CISSP, CISM, CISA, HISP and others.

He is the founder of several companies such as the Holistic Information Security Practitioner Institute (HISPI) who created a partnership with the Cloud Security Alliance and also contributed to the development of the NIST Cybersecurity Framework.

Lambo was an innovative cyber leader in the United Kingdom (UK) before coming to the U.S. He was the founder of the UK Chapter of The Honeynet Project and the co-founder of Cybercops Europe.

However, what none of these career accomplishments shows you is Taiye Lambo’s passion to improve public-sector cybersecurity effectiveness. I met Taiye a few years ago, and I was immediately impressed with his cyberknowledge and the clarity and purposes that was evident in his public presentations.

Behind the scenes, Lambo offers an engaging personal style that is intriguing and contagious. When I approached Lambo about doing an interview, he agreed on the condition that the topic was instructive for government CISOs around the country and that it highlighted the great work going on in Atlanta government. So here you go:

Taiye Lambo

 Mr. Taiye Lambo speaking at EC Council Meeting in Atlanta in 2015

Dan Lohrmann (DL): What are you most proud of during your time as CISO in Atlanta?

Mr. Taiye Lambo (Lambo): I would list three main accomplishments:

  • Obtaining executive leadership support (CIO, COO, City Council, Mayor and Cabinet); Mayor’s video, Mayor’s COO and CIO policy sign-off and significant funding for FY17 starting July 1.
  • Establishing Office of Information Security; grew the team from 2 (full-time equivalent employees) FTEs to 4 FTEs and 3 interns.
  • Establishing ISO 27001 ISMS; reducing attacks/risks by as much as 99 percent by investing in people.

 

 

DL: How can new CISOs build and execute a winning strategy? What are the main components needed?

Lambo: As the cyberthreat landscape continues to evolve, a breach in security could impact public safety, hinder economic growth and financial stability for federal as well as state, local, tribal and territorial (SLTT) government entities. The need for a top-down approach to information/cybersecurity with vocal buy-in from the highest level of executive leadership is the most critical success factor for implementing a winning CISO strategy. Success can only be guaranteed with the right amount of authority, autonomy and budget in place.

Under Authority Weaknesses in people and process accounted for most of the high-profile security breaches that we have seen across both private and public sectors in the past decade. Most of these security breaches could have been prevented by publishing and enforcing effective policies and procedures, combined with effective user awareness training. Policies lack any real authority without having adequate sign-off from the highest level of executive leadership.

To demonstrate support of an effective information/cybersecurity program, high-level information security policies should be signed off by the highest level of executive leadership, including a statement emphasizing the need for a culture of security.

Under Autonomy For information/cybersecurity to be truly independent, impartial and objective in carrying out its duties, much like an internal audit function, it should ideally be placed in a department where it can operate objectively and impartially and not perceived as a pure IT function.

Under Budget Executive leadership needs to put its money where its mouth is, for example the state of Israel, probably the most attacked country in cyberspace, last year announced their intention to allocate 8 percent of their annual budget to cybersecurity. This investment is way above the public-sector average and makes a bold statement that they are ready to tackle this issue head on.

DL: Tell us more about obtaining the needed authority and autonomy. Any suggestions?

Lambo: Sure, here’s my top five list:

  • Educate executive leadership by quantifying risks in monetary terms including reputational loss.
  • Develop strategic plan based on current state assessment and road map to achieve future state.
  • Position yourself as a mission/business enabler through alignment and DO NOT be a Dr. NO.
  • Have frank conversations with executive leadership about ownership and accountability.
  • Obtain vocal and visible support from executive leadership through video(s), policies, etc.

DL: How about cybersecurity budgets? What are some keys to making sure the right resources are allocated to avoid data breaches?

Lambo: Budgets can be a huge challenge. I see a lack of using benchmarking data and risk scoring/ratings such as NASCIO studies, data breach risk calculators and the CloudeAssurance platform to quantify risks and justify funding needs.

At the same time, invest more in people and processes and less in technology, maximize technology investments.

DL: You mention people, process and technology needs. How did you build the right relationships as CISO in Atlanta? Is there a repeatable approach that can be used by others?

Lambo: I think there is. Here’s what I did:

Chaired an Information Security Governance Board (ISGB) established by our CIO who hired me. This board met monthly to guide the execution of my CISO strategic plan including ISO 27001 ISMS Policy Development, Review and Approval, Asset Management, Risk Assessment & Treatment, Vulnerability Management and Incident Management.

This board consisted of senior executives from Risk Management (under Finance), Legal, IT, Facilities, Atlanta Airport, Mayor’s Office of Emergency Preparedness and was co-chaired by the City’s Assistant Chief of Police.

DL: What was your greatest challenge as CISO of a major U.S. city?

Lambo: You won’t be surprised if I say funding. Constantly balancing the need to not raise city taxes versus securing adequate funding for IT investments with direct impact on taxpayers, such as information/cybersecurity. Also, staffing: attracting right talents and cultural fit due to pay inequity compared to private sector.

I would add scoping, that is, ensuring all city information and technology assets spread across approximately 40 city departments and 10,000 users are efficiently and effectively protected.

DL: Any regrets or things you would do differently as you look back now?

Lambo: On personal reflection, I probably should have spent more time getting involved in community activities on behalf of the city, outside of IT or information/cybersecurity. I had the privilege of being invited to deliver keynote sessions at events such as Hacker Halted Global CISO Forum, Technology Association of Georgia (TAG) Cyber Simulation Exercises, ISACA Conference and even at my local church for National Cyber Security Awareness Month in October, but looking back, I wish I had carved out time to volunteer for community events such as the ones addressing homelessness, particularly amongst veterans in Atlanta, a cause that I’m very passionate about.

DL: What’s left to be done in Atlanta regarding information security?

Lambo: My team and I were about halfway through implementing my two-year strategic road map when I resigned from the role to return to my entrepreneurship dream, which is my first love.

The team is now charged with maturing our ISO 27001-based ISMS from CMMI Maturity Level of 2 to 3 over the next year, which will ultimately enable the city to achieve ISO 27001 Certification and CMMI Level 3 Appraisal. Atlanta will most likely be the first U.S. city to achieve this major milestone, thereby becoming a Center of Excellence for Cyber Security as desired by the mayor.

DL: What security areas are major U.S. cities struggling with the most?

Lambo: Ensuring that initiatives such as the Atlanta SmartCity (SmartATL) championed by executive leadership have security built-in as opposed to bolt-on or afterthought. To ensure Atlanta does not become a dump city due to future SmartATL hacks, I helped draft the Smart City Security Framework for SmartATL and integrated this into the CIO’s overarching SmartATL Strategy.

DL: What is your new role?

Lambo: Actually my current role is not all that new I’ve simply returned to doing what I was doing before stepping away to take on the challenge of being Atlanta’s first CISO. I’m back to being the founder and CTO of CloudeAssurance, the first rating system for enterprise and vendor (cloud and non-cloud provider) security. CloudeAssurance is a spin-off of eFortresses, a 2013 Gartner Cool Vendor in the Risk Management and Compliance category.

ISACA Abuja Chapter 7th Annual International Conference – Theme Aligning Nigeria with the Rest of the World

DL: What will you be doing in the near future?

Lambo: My team is currently in the process of scaling the CloudeAssurance ratings database to 10,000-plus cloud services and also developing a RESTful API that will enable CASBs like IBM, CipherCloud and Netskope as well as MSSPs and Cyber Liability Insurers to consume our ratings seamlessly.

Since 2012, the CloudeAssurance team has been doing security ratings of the Top 200 Cloud Services, including the top three by market share (Microsoft Azure, Amazon Web Services and IBM SoftLayer), on a quarterly basis and we are now trying to rate thousands of SaaS apps that are running on these leading cloud platforms. Our mission is to foster the safe and secure adoption of cloud services.

DL: Where do you see your priorities over the next three to five years?

Lambo: My three-to-five-year goal is to help fill the global cybersecurity skills gap by training and educating current and future leaders in our space on how to build and execute a winning CISO strategy in a cost-effective and efficient manner, leveraging lessons learnt from my past CISO roles (John Harland and the city of Atlanta). I hope to achieve this through the Holistic Information Security Practitioner Institute (HISPI), a nonprofit that I founded almost a decade ago. I’m proud to state that HISPI has produced some of the best CISOs that I’ve had the privilege of working with in my almost two decades in information security. I’d like to continue on the journey of making a positive impact on our industry through HISPI to foster increased diversity in our industry, by creating lucrative career opportunities for minorities, thereby helping to reduce inequality in our world.

DL: Any final thoughts you can share with us regarding information security leadership?

Lambo: Fifteen years after the 9/11 attacks, we are probably less safe in cyberspace than we were in 2001.

But back to what I said earlier, budget, autonomy and authority are not an option, but a must-have for a CISO winning strategy.

CISOs and CIOs should start to invest more in people and processes and less in technology.

Most security breaches can be prevented by taking a commonsense approach that we all practice when leaving our homes daily; locking our front and back doors and closing our windows is basic vulnerability management and making sure we don’t have any step ladders lying around our property is removing or reducing exploits. This type of common sense should be commonly practiced in cyberspace.

DL: My thanks again to Mr. Taiye Lambo for taking the time to provide us a glimpse behind the ongoing work in Atlanta government and his ongoing work in the cybersecurity industry.