The CISO role encompasses much more than setting up firewalls and patching systems. While security leaders still need strong technical acumen, these skills alone won’t be enough to succeed as an executive. CISOs and CSOs (or anyone who leads a security department) need to be aligned with the business and understand how particular events at an organization can shape a CISO’s career
That advice comes from Cybereason CSO Sam Curry, whose career includes four stints as a security leader. Those events, according to Curry, include obvious ones like data breaches and mergers and acquisitions, as well as tech replacements and large technology projects, which present CISOs with an opportunity to show that they’re business savvy and not only technologists. While each event is different, security leaders need to be viewed as the risk expert during each one.
“We want to be seen as the risk storytellers within a company. It’s very important to start having a dialogue about risk and risk reduction, not in terms of absolutes, but in terms of what are mitigating controls, and how do you invest your resources? That’s the challenge for a CISO,” Curry said.
We asked Curry for his take on how security leaders should best respond to these eight events, which all have the potential to either help or end a CISO’s career. In this blog, we’ll cover large-scale projects and tech replacement. In earlier blogs we’ve covered management change and a breach as well as mergers and acquisitions and penetration testing. We’ll get to the final events (maturity shift and management briefing) in the coming weeks.
Can’t wait that long? Then listen to this webinar Curry lead on the eight moments that can make or break a CISO’s career.
By default, large-scale projects have strategic value since they involve big budgets and multiple people and departments. For CISOs, large-scale projects require them to be the voice of risk, foster change and demonstrate operational excellence, Curry said. But even the most talented security leaders can’t excel in all three areas, a lesson Curry learned from a previous boss.
“He told me, ‘You personally can’t do all three because even if you were good at all three, which nobody is, you can’t physically do all three. Choose the ones you’re going to own and put your mark on.”
To handle the other areas, Curry suggests that CISOs should draft “lieutenants” in the security department who understand these domains and can execute the CISO’s security plan for the project in the context of how it benefits the business. Making allies with people from other departments who are also working on the project also benefit security leaders by helping them execute their plan, he said. CISOs should look for allies in the finance and IT departments or go with project managers and they should have expertise in the areas that the they aren’t handling, Curry said.
What CISOs perceive to be the end of the project is actual it’s middle, Curry said. While the laborious work is complete, the project now has to prove its business value. Failing to show what value information security brought to the project makes CISOs seem more focused on technology instead of enabling the business. This perception can stymie their career in the organization or lead to their dismissal.
“The career risk is actually quite high, but it’s something you can control. You can get ahead of it. Alignment to the business matters. You have to show that you’re a business person,” Curry said.
Demonstrating their business skills requires CISOs to consistently track the value that their contribution to the project brought to the business, Curry said. Given the price tag of these projects and that they’re approved with the expectation that they’ll help the business, they’re typically scrutinized by executive management and even the board. Security leaders who can directly connect a project’s success to their effort stand to advance their careers by portraying themselves as business-savvy in addition to possessing security skills.
Wondering how security can be incorporated into a large-scale project from the start instead of being tacked on at the end? Sam shares his advice in this blog.
Like large-scale projects, tech replacements are subject to executive scrutiny and have a high price tag. But, unlike large-scale projects, they focus on a change in the either the IT or security stack. There can also be a political component to tech replacements, Curry said.
“There could be a lot people who aren’t really convinced that the move to the new toolset or new piece of the stack is needed, but they’re going along with it because they’re sure that they would lose politically if they went against it. They’re waiting with a knife and will stick it in if anything goes wrong,” he said.
Moving to a new tool or software means replacing a technology that people are familiar with with one that they may have never used before and has the potential to break, putting the CISO’s career at risk if any adoption issues can’t be resolved quickly, for minimal cost and without disrupting the business.
“Have contingencies for when things go wrong. We don’t know what we don’t know. Only as you engage will you figure out where the peculiarities are,” Curry said.
Just like with large-scale projects, security leaders should turn to lieutenants to help them execute aspects of the tech replacement and recruit allies in other departments and track value.