Chief information security officers (CISOs) often don’t stay in one place very long. Turnover is high in the position; according to CSO Online, most CISOs stay on the job for a mere 24 to 48 months. During this time, security leaders face tremendous pressures and challenges as they strive to protect their enterprise networks from increasingly advanced threats.
Expert Insights: 4 Key Lessons for CISOs
We asked some industry veterans about the toughest stumbling blocks they’ve encountered throughout their careers and what insights they drew from those experiences that might help today’s security leaders keep up with the rapidly evolving threat landscape. Let’s take a closer look at these insights and explore how they translate to invaluable lessons for CISOs.
1. Understand Corporate Culture
The first step toward successfully implementing a security strategy is to become intimate with how the company ticks before even attempting to build security inroads.
“A CISO has to have a greater understanding of the culture, politics, business strategy and risks facing the organization,” said Tim McCreight, principal consultant at Online Business Systems.
Joseph Carson, chief security scientist at Thycotic, echoed this sentiment.
“The biggest mistake that security managers make is to force security for the sake of security without first understanding the corporate culture,” said Carson. “Security managers need to first understand the business, the corporate culture, followed then by the risk and data impact assessment, to ensure they have the most effective security strategy that is both good for people and good for the business.”
The best way to get started, McCreight said, is to get up from your desk, walk around the office and start talking to people in different departments to learn about their concerns.
“Talk to managers and line employees and see how they work every day, and how the security program you want to put in place will not only try to protect the company’s information, but impact the way they do their jobs,” he said.
2. Translate Tech Jargon
A classic rookie CISO mistake is to head into a board meeting with a slide presentation filled with information that executives will find complicated or alarmist. Board executives’ most pressing concerns often fall to the bottom of the CISOs’ agenda, so security messaging doesn’t resonate as a shared priority.
“The CISO often gets bogged down in detail and is unable to explain the benefits of his or her function to the business in the language that business understands,” said Amar Singh, CEO of the Cyber Management Alliance and former CISO of News International. “Many times, executives are looking for simple and straightforward answers rather than long technical tales.”
To hold executives’ attention and build trust, the CISO should learn to mix an optimal blend of security details with business interests and information.
“I don’t think you have to be brutally honest, or attempt to scare or upset your executives,” said McCreight. “The greatest success I’ve had when dealing with executives and boards is to provide a clear, objective perspective on the risks facing an organization. If you want to cement your relationship further, develop mitigation strategies and then give the executives options to reduce the risks.”
3. Strategize and Predict; Don’t Just React
Keeping track of developing threats is integral to a successful security plan, and a strategy with too much focus on reacting — as opposed to proactive defense — can lead to a breach.
“So many times, CISOs fall into the trap of reacting to every new threat that becomes public, from a call from a board member to an urgent email from the C-Suite,” said James Doggett, CISO and senior vice president of Panaseer and former chief security officer (CSO) and chief technology risk officer (CTRO) at Kaiser Permanente.
According to CSO Online, more CISOs are taking a proactive stance in key areas such as threat intelligence, privacy and business initiatives. But a holistic approach requires security leaders to stay on top of new threats while constantly assessing valuable and vulnerable assets to predict attack surfaces.
“Remember, if you have an effective security strategy based on risk, any new threat should fit into this strategy and not change it,” Doggett explained. “Obviously, there are exceptions to this, but if it becomes the norm, we all end up firefighting and not making lasting improvements in our security risk posture.”
4. Get Creative to Find Top Talent
By now, the skills crisis that is plaguing the security industry is well-known and documented. Some security veterans attribute the problem not to a lack of available talent, but a dearth of skilled, qualified people for specific security roles.
“Finding qualified talent is hard to come by,” said Dennis Chow, CISO of SCIS Security. “Many individuals we pass through our doors for interviews or pre-screens don’t know their fundamentals. It’s scary, because some of these individuals have been in the field for years and have certifications or other credentials to match.”
CISOs with unrealistic expectations about hiring will inevitably struggle to fill out their teams. Solving the problem requires a healthy dose of creativity and out-of-the-box thinking on the part of hiring managers.
“The solution to this is [to] develop your program’s human resource ingestion requirements thoroughly and determine the true skills and experiences needed to align to your specific program,” Chow explained. “Some programs need entry level help, some need seniors.”
Another option is to consider hiring new collar workers — candidates who lack relevant experience and degrees but have the right aptitude and attitude to succeed in a security career with the proper training.
While a CISO can’t be 100 percent ready for everything, a comprehensive approach that combines knowledge, preparedness and realistic expectations will help him or her feel ready to handle the cyber surprises that will inevitably be thrown their way.