The role of Chief Information Security Officer (CISO) is not for the gutless. It's a tough job. You must be passionate, know the ins and outs of all the different security technologies as well as network and security architecture and risk mitigation frameworks. Not to mention the ability to decipher numerous federal and state regulations and compliance rules and assess needed changes to your organization’s security program.
I am writing this post and thinking who wants to be a CISO anyway? You can read all the articles on roadmaps and guidelines on “How to be the best CISO” (like this one), but at the end of the day to be an effective CISO, you need to have an amazing team, the appropriate resources, and the right attitude.
Solidifying a team of wacky superheroes
To make intelligent decisions about what technology to purchase and deploy within your organization, you need to understand both the technologies and the threats at a pretty fine-grained level. Or you need to be very good at hiring expert individuals who understand these things, are super passionate about them, and can make recommendations that they can communicate in ways that everyone (and you) will understand. And ultimately, you (must) fully trust them and their recommendations.
Also, don’t follow the same playbook when assembling your security team. Don't hire analysts who all went to the same university or worked at the same company or in the same industry. Good security teams aren’t just composed of people who’ve spent their career protecting corporate networks or can quickly resolve a security issue. The backgrounds of the people on your security team and how they approach problems are just as important as the technology your business uses to defeat attackers. Look for diverse backgrounds and experiences. Your team and your organization's security will be better for it.
Don’t just buddy up to the board - become partners
Great CISOs get involved early and really become partners with the business units, the IT organizations, the application coders and develop a strong personal relationship with them. CISOs and the IT discipline must develop a relationship where they can have a level of trust and show that they’re not just here to do cyber to interrupt or interfere with the business activities or interfere with company profit margins, for example.
CISOs need to speak the language of risk when talking to the board and c-suite. Risk mitigation is the link between a company's security and business units. CEOs, COOs, and CFOs want to reduce it while CISOs are the ones who can accomplish this task. CISOs need to avoid talking about technical details. The board doesn't need to know about server configurations or the nuances of the organization's patch management strategy. But, they do need to know if the company can muster enough servers to prevent a DDoS attack and has patched the Windows vulnerability that lets attackers use the EternalBlue exploit.
Successful business and CISO partnerships also mean that the security department doesn't become the department of "NO." Information security professionals are there to help a business mitigate risk (there's that concept again) and also achieve its goals. Every project can't be vetoed due to security concerns. Businesses exist to take calculated risk for a profit. Learn what projects colleagues are working on and figure out how security can be incorporated into them before they're released to the market. As the IoT movement has shown, fixing a product flaw is difficult almost impossible when security in an afterthought.
Marrying the science and art of security
Security is as much art as science. The art aspect of it is this idea of there’s this constant battle between the bad guys and the good guys. And there are all these neat ways that the bad guys can get through your defense system. And there’s all these neat ways that you can protect your assets. That’s an ongoing challenge and you just need to relish in that. If you don’t, why are you doing this work?
Paving the way
Somewhere out there, the next generation of CISOs is maturing. So, how can CISOs train tomorrow’s security executives when today’s well-known security talent deficit makes it difficult to fill even the most basic roles? Retaining cyber professionals isn’t just a matter of offering the biggest paycheck — it requires getting creative with cross-training, hands-on experience and developing collaborative solutions with fellow CISOs.