The CISO role encompasses much more than setting up firewalls and patching software. While security leaders still need strong technical acumen, these skills alone won’t be enough to succeed as an executive. CISOs and CSOs (or anyone who leads a security department) need to be aligned with the business and understand how particular events at an organization can shape a CISO’s career
That advice comes from Cybereason CSO Sam Curry, whose career includes four stints as a security leader. Those events, according to Curry, include obvious ones like data breaches and mergers and acquisitions, as well as tech replacements and large technology projects, which present CISOs with an opportunity to show that they’re business savvy and not only technologists. While each event is different, security leaders need to be viewed as the risk expert during each one.
“We want to be seen as the risk storytellers within a company. It’s very important to start having a dialogue about risk and risk reduction, not in terms of absolutes, but in terms of what are mitigating controls, and how do you invest your resources? That’s the challenge for a CISO,” Curry said.
We asked Curry for his take on how security leaders should best respond to these eight events, which all have the potential to either advance or end a CISO’s career. In this blog, we’ll cover maturity shift and management briefing. In earlier blogs we’ve covered management change and a breach, mergers and acquisitions and penetration testing and large-scale projects and tech replacement. Want a more in-depth perspective on how to navigate these moments? Then listen to this webinar that Curry lead on the topic.
Organizations typically move through four phases of cybersecurity as they mature and the security leader should be the catalyst for each transition, Curry said. When the board, the C-suite or another factor causes the maturity shift, the CISO’s career could be at risk.
“When you’re forced to shift, as opposed to being the agent of the change, it signals that the board or the C-level don’t trust you as the leader anymore,” he said.
The four phases of security maturity are:
Tick the boxes: Security is treated as a checklist in the first phase. There’s a sequence of tick boxes and the security department, which is typically small and consists of two to four people, goes down the list, addresses each topic and checks off the box when the task is complete. When all the boxes are checked, the company has a rudimentary level of security.
Compliance security: Enterprises are usually forced to enter this phase to comply with government regulations like HIPAA or PCI in order to grow. “When you move into a compliance phase, it’s usually because there’s a big stick being held over the company,” Curry said.
IT risk: The company maintains its largest security department during this phase, sometimes reaching the hundreds of people, and “everything related to security falls squarely in the lap of the CISO,” Curry said. Given the many duties that the security leader is taking on during this phase, the CISO’s stature in the organization elevates rapidly. “[CISOs] become C-level players, but they’re still treating IT risk like it’s different from other forms of risk, and it’s not empire-building so much as everything security winds up getting sucked up,” he said.
Business risk: The security department can actually shrink during this phase since cybersecurity becomes its focus instead of all issues that are related to security. Cybersecurity practitioners will establish information security policies that reduce risk and enable the business while also handling cybersecurity-specific tasks like threat hunting. Meanwhile, the IT department will manage firewall policies, authentication projects, antivirus updates and other security-adjacent tasks.
This phase is when CISOs reach the pinnacle of their career in the company, sometimes reporting to the board or taking on the duties of a chief risk officer in addition to handling security.
By leading a maturity shift (or weathering one that was initiated by the board or C-suite), CISOs can be “very strongly placed to call the shots,” Curry said. Budget constraints, new managers and new partners can accompany each phase and an executive is needed to oversee the transition. Being an agent of change requires adopting a business mentality and determining how security can best help a company achieve its goals while reducing risk.
“Be seen as a businessperson first. Your job to the security people is to be a provider and logistics person to enable them to do their job. Your job at the business table is to be the voice of risk, not the minutiae in security,” Curry said.
Curry also recommended demonstrating process and “not turning up with the answers.” Showing that a CISO has a process for resolving a problem or managing projects builds credibility with other C-level executives and the board more effectively than “perfection in knowledge,” Curry said.
Management briefings, which encompass presentations to the board and other C-level executives, hold little risk for a company but great risk for a CISO’s personal brand. Both require CISOs to show that they have a voice and a reason to be heard. “It is a great thing to be summoned to meet the emperor but it’s also a dangerous thing,” Curry said.
CISOs who are asked to give executive briefings or board presentations need to prove that they were worth inviting. Showing that the invitation wasn’t wasted requires CISOs to speak the language of business (especially how security can reduce risk), discuss how security can help the business and avoid technical jargon.
“Your trust and career are on the line here, and risk management, as a discipline in the company, is at risk. It can be elevated, or it can sink. Get this one right,” Curry said.
CISOs should form a “personal board” that they can turn to for advice on how to present security topics to either the board or executives in a way that resonates with them. Curry’s personal board is comprised of five people, including a former sales executive and a former venture capitalist, who he turns to for career guidance and executive coaching.
Curry also suggested that CISOs form an advisory board comprised of people from within their company. This will allow them to test the content they’re planning on presenting during the briefing.
“Socialize things ahead of time. You should not be doing the big unveil of what your story is at the meeting. Everybody should know what you’re going to present before you do,” he said.
If the material the CISO plans on presenting doesn’t resonate with the advisory board, the content needs to be revised, Curry said. The CISO’s objective for the meeting should be to clearly and smoothly present a narrative in the allotted time and convey how cybersecurity helps the company succeed. When the meeting is over, the audience should have the impression that the security leader is a member of the C-suite who understands how the company operates, not a technologist who only thinks in terms of hardware, software and code.
“You want to be asked back to speak, so make you’ve smoothed out the rough spots ahead of time and that you’re ready for a business discussion,” Curry said.