Bang the drum all day
Defining a “good” chief information security officer is difficult. On one side, many CISOs have risen through the security ranks due to their technical prowess and were thus handed a “business position,” asked to manage a team, and required to start briefing the executive suite on the state of the company’s security. In executives’ terms. On the opposite side, other companies are hiring or promoting traditional business executives to the role.
In the latter case, these business executives don’t understand security beyond “we need to keep our data secure,” but have a firm grasp on building partnerships, planning and forecasting, identifying growth opportunities, and scaling back unnecessary cost centers. In an ideal world, these attributes and qualifications are blended to form one Super CISO. While still rare, a few CISOs—mainly those who have come up through the technical ranks—have managed to adopt a more business-like mindset while ensuring the technical side of security doesn’t suffer.
When I get older, they think I’m a fool
Business leaders who accept and take on the challenge of a CISO role have the responsibility of learning about security technology so they can understand the possibilities, the realities, and the limitations of the security department. Over the years I’ve heard several security practitioners say that if a CISO isn’t a security person, this just isn’t doable. It certainly is doable, but a concerted effort needs to be made. In addition to his or her other responsibilities, a “business CISO,” for lack of a better categorization, can embed him/herself within technical teams and learn and watch. Being a good leader is all about asking the right questions, so with some time and effort, gaining a working knowledge of security can be accomplished; it’s critically important for the CISO to have this knowledge when the time comes to level set and/or make judgement calls about the risk posture of the business.
Coincidentally enough, within the last week I’ve heard from two very experienced and influential security leaders that even technical CISOs should be taking time to keep up with the tech. Pete Nicoletti, CISO at Hertz Corporation, advised current CISOs to “Sit with your team. Get to know every person’s job below you. See what they do, understand what they do, get to know their challenges, learn their workflows.” What the security (and networking) team is doing technically now may be very different than what the CISO did when she/he was sitting in the analyst or engineer seat a few years back. Comprehending what’s going on day-to-day and how things operate now helps the CISO both defend the security team’s actions to the C-suite when necessary or appropriate, and “call BS” on security when things aren’t getting done when or how they should.
Similarly, Diana Kelley, Executive Security Advisor at IBM Security recently presented a talk in which she advised up-and-coming security practitioners to take a learning path that provides varied experience within cybersecurity. Kelley, herself, has served as a systems admin, a security analyst, has worked in product development, and now advises CISOs all over the world. She, just like Nicoletti, knows that the way to gain credibility and influence is to master your subject. This requires ongoing learning and development, whether you’re in school and looking to get into security, if you work as a manager or director and aspire to be a CISO, or are a current CISO looking for ways to improve your team and its outcomes.
The teacher told me I should stay after school
For that technical CISO, though, the rest of the executive team is looking for security’s alignment with corporate strategy. So while keeping up with technology might be less of a hassle—and perhaps more fun—the technical CISO’s mission should be to learn more about the business and leadership, and convey business context to his/her technical staff regularly. The CISO needs to thoroughly grasp corporate strategy to be successful, so every time a business discussion takes place or a strategy email appears in the CISO’s inbox, that message should be distilled and applied to security’s initiatives, then filtered down through the technical ranks to the rest of the security team.
The technical CISO’s charge is to take a proactive interest in the business; it’s beyond “speaking the language of the business.” Just like a business CISO can shadow technical teams, a technical CISO can sit with and learn from business units about their workflows, objectives, demands, and thought processes. Learning the language of the business isn’t only about how one speaks; it’s about a deep understanding of what makes a business tick and where the business is headed.
I don’t want to work, I just want to bang on the drum all day
Informing oneself about other areas of the business takes significant time, effort, and an open mind, but this is the future of the successful CISO. For those who are more technical, the priority is to work on areas of business acumen that might not be as comfortable or familiar. Remember that companies don’t grow and thrive because they have a really fantastic technology infrastructure. Excellence comes from an understanding of the marketplace, financial opportunities, and people. For business-oriented security leaders, don’t forget that businesses run on technology. No technology is impenetrable and every piece of technology has its limits. Knowing those capabilities, and the capabilities of the people managing the technology (because no technology runs on its own), is an influential factor in identifying the next area of growth. All of this said, none of it is easy. It’s why CISOs get paid the big bucks. Are you ready?