New Year’s Resolutions for the Effective CISO

As the new year approaches, one might wonder how to best prepare for what 2016 will bring. If 2015 is any indication, the role of the CISO will continue to mature and evolve well beyond the confines of IT. CISOs and aspiring CISOs have basically chosen a role that is continuously evolving — imagine jumping on a moving train. Thus, the moment for New Year’s resolutions seems like a good time to propose looking 10 (or 50) steps ahead and trying to catch the train there.

In 2015, readers hopefully enjoyed my articles on the nature of the conversations that CISOs are having with business leaders, why boards of directors are finally asking about cyber risks, the questions that boards are asking CISOs and comments on how CISOs should report risks to boards. The information on executive communication and the evolving role of the CISO is key for security leaders.

So are you a security leader? Are you moving in that direction? Are you moving to where the train is headed?

Choosing the Time

The first question would be to ask yourself: Are you ready to go now? Not everyone is ready to jump on the train; some may prefer to delay another year, either for professional or for personal reasons. Others may choose to see what their peers are doing, but this approach could result in a professional being left behind.

Choosing a Path

If you have decided to make 2016 a special year of growth and opportunities, the next step is to look around and choose a general direction. The exact path may not be obvious quite yet, but as the CISO’s role matures, it will bring with it new opportunities — and, of course, challenges. So in which general direction do you want to go?

Which Train?

All roads may lead to Rome, but not all trains will transport you toward becoming a more effective CISO. I submit that the effective CISO in 2016 needs to be one who is in tune with the business, whose actions are aligned with the business and whose counsel is repeatedly sought after to assist top management and the board.

This will include tasks such as monitoring, evaluating and directing all activities related to managing and oversight of cyber risks. One of the many ways in which the CISO role is evolving is that of becoming a digital trust officer for the organization.

What’s on Your Reading List?

The most effective CISOs that I know have two major traits. First, they are business-focused in nearly everything that they do. This in no way prevents them from also being skilled at understanding — and in some cases still doing — complex technical security concepts and actions.

Secondly, effective CISOs continually seek to grow their perspective beyond the confines of IT. As one of my CISO friends, Bruno Kerouanton, wrote, “IT is a discipline that can only be complete if we increase the spectrum of knowledge through various channels. History and philosophy are now integral to my vision whenever I think of the future of our technology.” (Translated from the original French by the author.)

So for 2016, reboot your reading list. Are you really investing in yourself and your future if you have fewer than 10 titles in waiting? Browse books in topics such as business, communications (of the human sort), risk management (i.e., ERM) and even top management and board governance.

Broaden Your Horizons

For those times when you’d rather bits of wisdom come your way without much effort on your part, broaden your horizons by trying out some business- or leadership-focused newsletters.

For example, Leadership Vision Consulting is a company whose objective is to “provide a behavior-based understanding of individuals, a clarity to team dynamics and the necessary resources to sustain a strengths-based organizational culture.” You can subscribe to its free newsletter for more information.

Harvard Business Review provides a wealth of articles (and books) on many subjects that CISOs should find relevant. You can subscribe to several newsletters on various topics, including: Management Tip of the Day; Daily Alert; Technology and Innovation; and Strategy and Execution.

Back in technology-related focus, Michael Rasmussen’s blog is a top resource on all things GRC-related. Another top blog from Norman Marks takes an even broader view, looking at enterprise risk management as a whole.

What Company Do You Keep?

So now that you’ve rebooted your reading lists, what’s next? How about making new connections with folks who might have a different focus — perhaps not CISOs — or a different approach or background (i.e., a CISO from a legal background). You can even connect with a CISO who has been highlighted as a thought leader.

A good way to meet some of these new faces and fresh perspectives is to refresh your involvement on advisory boards, conference planning committees and the like. If you feel like you’re at the top of your game, what new connections can you make to open your eyes to even higher levels?

Moving Up or Moving On?

Sometimes, there comes a point when we realize we are no longer a good fit for the organization where we’ve spent many years. If you reach that point, read “Evaluating and Attracting Your Next CISO: More Sophisticated Approaches for a More Sophisticated Role” to find out about how your own experience and actions match what companies are being advised to look for in a CISO.

Even if you’re not getting ready to leave, the article can help you assess where you’ve been as a CISO and where you might have to go to catch the train.

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is an associate professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.