Marco Dubbert is the chief information security officer (CISO) for Berlin-based fintech firm LIQID, which he joined over two years ago. Additionally he supports startups and SMEs as an independent consultant for information security and privacy. He describes the CISO role as one that typically blends managing technical operational tasks with auditing security processes to ensure that they work as intended.
But the role has also evolved over the years—it transitioned from being a somewhat peripheral aspect of IT administration in the ’80s and ’90s, primarily concerned with installing firewalls on computers, to a comprehensive position managing security across all facets of a business. We sat down with Marco and asked him to dispel some common misconceptions about the role and explain how visibility can help security managers in the startup world.
Security management starts with insight, because you can’t protect — or manage — what you can’t see. Marco describes visibility into IT assets, systems, workflows, operations, data, and even people as essential for any CISO. This visibility has three dimensions:
A common mistake that Marco often sees smaller companies make is trying to design policies and documentation and comply with security standards like ISO 27001 before gaining adequate insight into their organization. They may not even have visibility into their key revenue-generating operations and assets.
“In the end, this won’t lead to very targeted policies, because what can you write down if you don’t know what you are protecting? You can only write down some very basic rules and generic policies,” he says. “A good auditor will look behind those policies and see that there’s nothing implemented. And you also won’t improve security by doing that, because just because something is written down doesn’t mean that it is protected.”
Some lucky CISOs who are new in the role will find that a predecessor has already mapped out a full catalog of IT assets, workflows, stakeholders, roles, and more. But most will need to start from scratch and assemble it themselves. This will provide a solid base on which to perform a risk assessment and then build out security policies, as we’ll discuss.
Many employees fear the CISO, or their chief privacy officer. That’s especially true of people who may have spent time in traditional organizations, according to Marco. In this world, the CISO is the person who says no, the person who restricts and blocks and locks things down, effectively sacrificing worker productivity and speed in favor of security. This may have had some element of truth to it in the past, says Marco, but this approach will not serve the modern CISO well. Why? Because it will expand the use of shadow IT: unmanaged tools, technologies, and workflows that circumvent IT checks but ultimately create extra risk for the organization.
“If they think you are the person that blocks something, they won’t tell you about new tools and workflows they may be using,” Marco explains. “You want to avoid that, because as a CISO, you always need visibility of your assets. So you really have to communicate your security approach to prevent such misconceptions.”
In this way, the need for continuous visibility can help CISOs become more transparent with their colleagues and stakeholders, and can encourage greater collaboration between the IT function and regular users. The ideal scenario is a balance between usability/productivity and risk mitigation — or to put it another way, between speed and security. \
Marco believes that visibility is potentially the “most important factor” in establishing an IAM system. That means understanding how many and what type of assets (systems, applications, and so on) the organization owns. And then it means understanding how many employees need access to a particular tool and which permissions should be assigned to each. Visibility can reveal how and whether users are requesting access to individual applications, and whether additional training or awareness-raising programs are needed to improve usability.
“In short, you need visibility into the whole IAM lifecycle — not only establishing an IAM but also maintaining and improving it,” explains Marco.
For startup founders, deciding whether to hire a CISO will depend on several factors, including the type of data the company manages, how well regulated the sector it operates in is, and how many employees work there, Marco says. Finding the right CISO for the job may be a case of hiring externally or sourcing someone who already works at the organization. An external candidate may be a better choice for companies that are “highly technical” and/or that are building up the security management function from scratch.
“However, it will be way more difficult for an external CISO to understand your business and your existing revenue-generating workflows,” he warns.
Once the new CISO has been hired, what should their priorities be? Marco lists these key first steps:
A CISO needs situational awareness into IT assets (software and hardware), IT systems, the connections between components and underlying technical infrastructure, workflows and operations — especially revenue-generating operations — and key stakeholders.
Determine which parts of the business are most important and identify the IT assets and workflows that support them.
“How you do that is up to you. You can follow some international standards. You can do a business impact analysis. Just try to find a way to prioritize your assets, workflows, and so on,” says Marco.
Understand the potential threat scenarios that exist for those identified and prioritized assets, processes, and data. ISO 27005 is the relevant international risk assessment standard here, but there are others.
Outline the main strategic objectives for security management — the areas that must be covered based on the prioritizations you’ve done. Don’t forget to include reporting requirements to key stakeholders. Ensure that everything important is documented.
This is critical to ensuring that the security strategy gets accepted and implemented.
Create ongoing operational goals based on strategic objectives — for example, “ensure that all SaaS applications are covered by an IAMstrategy.” These goals could be assigned with KPIs and measured periodically.
“This security program would work as an operational roadmap, in which you would then plan, communicate, and implement specific organizational technical measures and workflows,” says Marco.
Ultimately, CISOs have a difficult balancing act to manage: they must meet sometimes rigorous compliance requirements without blocking essential business processes and operations. This can be especially tough for CISOs in tech startups, whose business practices often diverge quite significantly from the type of organization that many regulations were written for.
However, it can be done by designing effective approval workflows using common tools — like Asana, Jira, or AccessOwl — that meet auditors’ standards and integrate seamlessly into business operations.