Chief information security officers (CISOs) often don’t stay in one place very long. Turnover is high in the position; according to CSO Online, most CISOs stay on the job for a mere 24 to 48 months. During this time, security leaders face tremendous pressures and challenges as they strive to protect their enterprise networks from increasingly advanced threats.

Expert Insights: 4 Key Lessons for CISOs

We asked some industry veterans about the toughest stumbling blocks they’ve encountered throughout their careers and what insights they drew from those experiences that might help today’s security leaders keep up with the rapidly evolving threat landscape. Let’s take a closer look at these insights and explore how they translate to invaluable lessons for CISOs.

1. Understand Corporate Culture

The first step toward successfully implementing a security strategy is to become intimate with how the company ticks before even attempting to build security inroads.

“A CISO has to have a greater understanding of the culture, politics, business strategy and risks facing the organization,” said Tim McCreight, principal consultant at Online Business Systems.

Joseph Carson, chief security scientist at Thycotic, echoed this sentiment.

“The biggest mistake that security managers make is to force security for the sake of security without first understanding the corporate culture,” said Carson. “Security managers need to first understand the business, the corporate culture, followed then by the risk and data impact assessment, to ensure they have the most effective security strategy that is both good for people and good for the business.”

The best way to get started, McCreight said, is to get up from your desk, walk around the office and start talking to people in different departments to learn about their concerns.

“Talk to managers and line employees and see how they work every day, and how the security program you want to put in place will not only try to protect the company’s information, but impact the way they do their jobs,” he said.

Listen to the podcast: Know Your Audience

2. Translate Tech Jargon

A classic rookie CISO mistake is to head into a board meeting with a slide presentation filled with information that executives will find complicated or alarmist. Board executives’ most pressing concerns often fall to the bottom of the CISOs’ agenda, so security messaging doesn’t resonate as a shared priority.

“The CISO often gets bogged down in detail and is unable to explain the benefits of his or her function to the business in the language that business understands,” said Amar Singh, CEO of the Cyber Management Alliance and former CISO of News International. “Many times, executives are looking for simple and straightforward answers rather than long technical tales.”

To hold executives’ attention and build trust, the CISO should learn to mix an optimal blend of security details with business interests and information.

“I don’t think you have to be brutally honest, or attempt to scare or upset your executives,” said McCreight. “The greatest success I’ve had when dealing with executives and boards is to provide a clear, objective perspective on the risks facing an organization. If you want to cement your relationship further, develop mitigation strategies and then give the executives options to reduce the risks.”

3. Strategize and Predict; Don’t Just React

Keeping track of developing threats is integral to a successful security plan, and a strategy with too much focus on reacting — as opposed to proactive defense — can lead to a breach.

“So many times, CISOs fall into the trap of reacting to every new threat that becomes public, from a call from a board member to an urgent email from the C-Suite,” said James Doggett, CISO and senior vice president of Panaseer and former chief security officer (CSO) and chief technology risk officer (CTRO) at Kaiser Permanente.

According to CSO Online, more CISOs are taking a proactive stance in key areas such as threat intelligence, privacy and business initiatives. But a holistic approach requires security leaders to stay on top of new threats while constantly assessing valuable and vulnerable assets to predict attack surfaces.

“Remember, if you have an effective security strategy based on risk, any new threat should fit into this strategy and not change it,” Doggett explained. “Obviously, there are exceptions to this, but if it becomes the norm, we all end up firefighting and not making lasting improvements in our security risk posture.”

4. Get Creative to Find Top Talent

By now, the skills crisis that is plaguing the security industry is well-known and documented. Some security veterans attribute the problem not to a lack of available talent, but a dearth of skilled, qualified people for specific security roles.

“Finding qualified talent is hard to come by,” said Dennis Chow, CISO of SCIS Security. “Many individuals we pass through our doors for interviews or pre-screens don’t know their fundamentals. It’s scary, because some of these individuals have been in the field for years and have certifications or other credentials to match.”

CISOs with unrealistic expectations about hiring will inevitably struggle to fill out their teams. Solving the problem requires a healthy dose of creativity and out-of-the-box thinking on the part of hiring managers.

“The solution to this is [to] develop your program’s human resource ingestion requirements thoroughly and determine the true skills and experiences needed to align to your specific program,” Chow explained. “Some programs need entry level help, some need seniors.”

Another option is to consider hiring new collar workers — candidates who lack relevant experience and degrees but have the right aptitude and attitude to succeed in a security career with the proper training.

While a CISO can’t be 100 percent ready for everything, a comprehensive approach that combines knowledge, preparedness and realistic expectations will help him or her feel ready to handle the cyber surprises that will inevitably be thrown their way.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…