Looking for the inside track on how to succeed as a CISO? Then read on. Cybereason CSO Sam Curry fielded career questions from security executives and aspiring security executives during a recent webinar on the next-generation CISO. Some of the topics he was asked about include why CISOs shouldn’t get comfortable in their positions, how security leaders can have meaningful conversations with their boards and why previous success as a CISO isn’t an indicator of future success.
If you want more insight on what’s required to hire and train the next generation of CISOs, listen to our webinar.
What is the best indicator of future success for a CISO?
The best indicator of future success as a CISO isn't previous success. Instead, what matters is the work that CISOs put in before they join an organization. During the interview process the CISO must convey that information security issues are going to be addressed at the executive and board levels. Setting this expectation with other executives allows CISOs to enter at a level that permits them to elevate the importance of information security. Establishing clear goals at the 30, 60 and 90-day marks also helps new CISOs succeed.
What’s the career path for becoming a next-generation CISO?
There really isn’t a recommended career path. The CISOs who excel are aligned with the businesses’ needs and understand how information security can enable them. Lateral career movement also helps. People who are internally promoted to CISO usually served as the Director of Security Operations and have worked with different parts of the business during an incident or breach. Experience as a Business Information Security Officer (BISO) is also helpful to landing a CISO role, especially in the financial services industry.
What are a BISO’s duties?
This role is typically found at large banks. BISOs are often coming up with a formalized language for risk in the security department. They’re generating reports, quantifying risk, performing audits and understanding the security policy and making sure it gets revised. Think of the BISO role as program management extended.
When CISOs join a new company, what challenges do they face and how can they overcome them?
CISOs are brought in either by the business, which leads to immediate skepticism from the information security team who wonder if their new boss can connect with them, or because they’re a technical whiz and they have to prove that they have the necessary business acumen.
This situation forces newly appointed CISOs to convince security professionals that they’re not an empty suit and can remain technical, while showing the board they're not just a security geek.
Maintaining a link to security professionals requires the CISO to appoint a person to serve as a deputy and trusted advisor. These people have the institutional knowledge on who handles what roles and how projects are completed.
To demonstrate their business skills, CISOs need to take actions that show they understand the business and that they’re adapting to their new role. Within their first 30 days CISOs should develop a vision for where an organization’s information security is headed with input from people in the company and share the plan with their boss. By the 60-day mark the plan should be finalized and shared with the entire organization.
How can you successfully translate the liabilities around information security to the board?
First, steer away from using FUD (Fear, uncertainty and doubt). Second, let no good crisis go to waste. Use a crisis just not as an opportunity to get more money but to reiterate your themes around managing risk. Explain that no company is immune to all security threats and no CISOs can stop every threat. Reiterate that for a relatively small investment, setting up these processes, hiring these people and implementing these programs will dramatically reduce the risk in these ways.
What is the biggest mistake CISOs can make and how can it be avoided?
There are a few major mistakes that can hurt a CISO’s career. First, don’t become complacent and accept the status quo. CISOs should challenge their teams and their companies. If they don’t do that then who else will? Some of the most successful CISOs have pushed their business outside of its comfort zone and had a massive impact. Don’t settle into the CISO role, park yourself at your desk and enter a steady state. The goal of a CISO is to not be comfortable.
