A couple of years ago, there was a survey that tallied the average tenure for a chief information security officer (CISO) as only 26 months. That means many of us CISOs will have to hit the ground running more than once in our careers as we shift into new organizations and opportunities. It helps to have some keys to success. As a 30-year veteran of cybersecurity and a still-practicing, still-learning CISO, I have some guidance to share that has helped me over the decades, and it can support other CISOs too.
In this first article, I’ll examine two keys to success when entering a new CISO role: Things you can do to make the most of your opportunity when entering a new role. In the second part of this series, I’ll share two additional key factors that I’ve found to be invaluable in elevating the CISO role—extending well beyond that 26-month window.
Together, the two articles provide guidance to achieving greater visibility for the security function and engendering support from both the C-suite and the board. They’re designed to put the job of today’s CISO in perspective, and make the work more interesting, more fulfilling, and, hopefully, more fun.
My Guidance for Brand New CISOs
The skills that helped you climb the ranks to become a CISO have clearly done well for you along the way. In today’s world, the path to CISO can start in many places. For me, it was IT. For many others, it is in the cybersecurity department. But, over the past few years, we’ve also seen CISOs come from diverse areas such as the business side or auditing.
Whatever your background, the reality is that being a CISO is probably unlike any other job you’ve had before. The knowledge and skills that got you to this point are not necessarily the knowledge and skills that will make you a successful CISO. So, one of my main points is to learn to be comfortable with being somebody you are not—at least not yet.
It requires a shift in mindset. Most people thrust into the CISO role probably have a strong knowledge of cybersecurity technology, or perhaps specialized knowledge in other areas, such as enterprise IT, regulatory compliance or auditing. The point is, once you become a CISO, your responsibilities are instantly broader and more diverse. You can’t be the one testing the latest cybersecurity point products or writing audit reports. You must be a leader, mentor, teacher, motivator. You must learn to speak the language of business. You must inspire trust and respect, not just among your team, but throughout the entire organization.
The Keys to Succeeding in a New CISO Role
Key #1: Hire Smart People
My first bit of practical advice when entering any new CISO role is simple: Hire people that are smarter than yourself. There’s a famous quote from Steve Jobs: “It doesn’t make sense to hire smart people and tell them what to do. We hire smart people so they can tell us what to do.”
A common pitfall among new managers, CISOs included, is to think that hiring smarter people means that those people are going to gun for their jobs. The reality is just the opposite: Hiring smart people and giving them the leeway to do their jobs well will benefit the company and benefit you as a leader.
One of the factors I consider when I look for smart people to hire is whether the person has the mentality of a teacher. There is a tremendous value in hiring someone with a teacher mindset. They can be mentors to others on your team. They take pleasure in watching the light bulb go off in other people.
Two of the other qualities I look for: Passion and heart. For example, if someone is just out of college, I will ask about extracurricular activities. Were they involved in the cyber club at school? Were they president of the cyber club? Did they teach cyber safety at a local elementary school? How can the person show me they have the passion and heart for cyber? After all, this job is too challenging not to love cybersecurity and have deep curiosity for the field. Spending time eating, sleeping, and breathing cyber is a great early indicator of future success.
I also consider practical knowledge. I’m one of those people that love certifications. It shows that an independent third-party has evaluated and validated the skills and knowledge of that person. It’s part of the dialogue in an interview. You can often hear in their language, or see in their body language, whether they truly understand the work. So those kinds of validations should hold weight when considering candidates. I also understand that there are leaders who do not like certifications. I get it. Not everyone tests well. And the converse is that some can read the material and pass any test (lacking practical application of the knowledge). There will always be the outliers. Whether you like certifications or not, understanding a candidate’s practical knowledge is necessary in helping a CISO build a successful team.
Key #2: Create Visibility Everywhere
When it comes to the role of the CISO, there are different types of visibility to consider. First, is the visibility across the organization into potential gaps or weaknesses in cybersecurity protection.
For example, most companies use Office 365 to handle email. Depending on the size of the organization, just this one application alone could be generating millions of logs each day. How do you parse through this with the visibility to determine what are the highest priority threats, the ones that require immediate action? Perhaps you need to work with a managed services provider for your Security Operations Center (SOC) or create other new processes to ease the burden for threat hunting and analysis on your teams. Perhaps the technologies and processes you incorporate for an app such as Office 365 can be extended across all of your enterprise applications.
Creating visibility is a perpetual action that every CISO needs to be involved in. When COVID hit, we had to support workers at home. We needed visibility, so we hired a third-party provider with an application that puts an agent on all of our endpoints. It doesn’t matter if the user is at home, in an office, or at a coffee shop. That little agent creates visibility for our organization, reporting everything to the SOC in near real time.
Beyond the visibility into your cybersecurity risk environment, there is also the need for CISOs to create visibility about their role and how their cybersecurity teams and investments are protecting the organization. For example, in the event of a geopolitical crisis, the CISO must be in a position to communicate the level of threats to business leaders and to provide details on how threats are being continuously monitored and assessed.
As CISOs, we have to create a certain level of awareness of what we do and how we are doing it. That means building relationships with your executive team and peers across the organization and using those connections to create new clarity around security needs and solutions.
What’s Next to Succeed as a CISO?
What else can you do as a CISO to succeed in your role and make the job more fun and fulfilling? Check out the second article in this series The Keys to CISO Role Success —Part Two: Elevating Your Stature for guidance on two more important actions you can take to make the most of our challenging and rewarding security profession.
Ed Harris is Global Director of Information Security at Mauser Packaging and a fellow at the Institute for Critical Infrastructure Technology.