CISO Tips: Balancing the hero with the storyteller

Transcription

1 CISO Tips: Balancing the hero with the storyteller There s no clear and direct career path to the role of infosec executive. But, there are skills that can help you advance your career to the management level, such as deep technical knowledge, strong communication skills and having business acumen Cybereason. All rights reserved. 1

2 Aspiring CISOs take note: there s no clear and direct career path to the role of information security executive. But there are definite skills that can help you advance your career to the management level. These skills go beyond what s typically expected of a security professional, such as deep technical knowledge, and include strong communication skills and having business acumen. Of course, knowing about data science, research methods, agile development and the latest technology is still vital. But the biggest challenge (and this applies to veterans as well as newbies) is aligning information security with the business. Whether you re a new CISO, a CISO wannabe or a veteran security executive, read on. Move laterally, not just up For aspiring security executives, moving laterally is the best way to the top. In other words, focus on gaining skill sets adjacent to what you already have. For example, if you re a security analyst, get experience managing people. Then when you re good at managing people, start honing your business skills. This approach allows you to acquire breadth, which makes you a better leader, and shows that you can handle a security leadership position before you actually move into the role. Don t just look to move up the rungs on the security career ladder. And don t expect anyone to lay out the career path for the next-generation CISO. Often times career development isn t a straight line with an upward trajectory but a series of twists and turns. In each role you have, gain as much professional experience as possible. This method of learning as much as you can in each role you hold also narrows the skills gap on the career ladder, which can be quite large. For instance, the moves from being an analyst to being a people manager, from being a people manager to director and from a director to CISO are all big career jumps. Having a mentor also helps you learn what s expected in the role you aspire to and cuts back on the gaps between positions Cybereason. All rights reserved. 2

3 For security professionals who are concerned that they re not totally qualified for an executive role, learning on the job is valid. If you ask many security executives on how they reached the leadership ranks you ll be surprised to learn that many of them weren't necessarily ready for the jobs and that they learned along the way. They realized that they had many of the right skills and jumped into the role. Sometimes this dive into the unknown leads to successful security careers and other times not so much. Either way, it s a learning experience and will give you valuable information that you can take to your next role. Rather than waiting to be perfectly prepared for your next career move, sometimes you have to jump over the missing rung and reach for the next one. That's how you learn. Be social Yes, it sounds like a tall order, but never underestimate the importance of soft skills, especially communication. Security executives could nail every other part of the position but if they can t communicate what s going on in their department and how it helps the business, they re setting themselves up for failure. The duties of a CISO are no longer restricted to setting up firewalls or network perimeter devices. These leaders are now explaining how the organization can mitigate security risks to corporate boards and working with product teams to create more secure products. Their domain is no longer the server room or a SOC. They re now expected to interact with all departments. In other words, the next-generation CISO needs to socialize. Lateral relationships matter and are critical to bridging any gaps between business and security. Establishing them can prove challenging; overwhelms us and there are meetings all day long. But the human interaction is very important to your peers. And those relationships will eventually prove key when you re trying to complete certain projects Cybereason. All rights reserved. 3

4 Here are some of the people and departments security leaders need to get to know: 1. The boss This one seems obvious, although you would never know it by looking at statistics around the average tenure of a CISO, which is around 13 months. While this may seem like a counterintuitive way to earn your boss respect, CISOs shouldn t be afraid to discuss uncomfortable subjects, particularly when they and their boss hold different opinions. Bosses actually like this. CISOs who always show up with all the answers don t look competent; they look like they re hiding something. Instead, show up when projects are not quite finished and ask for input. Doing this shows humility as well as respect for your boss. They eventually begin to trust that you are bringing up things that really matter since they have examples of you doing this. Figure out what your priorities are and then ask for your boss opinion. This will let you know if your priorities are aligned with the organization s goals. If you priorities are wrong the most you ve lost is a few minutes. This is worse than losing a few months when you discover you and your boss have different priorities. This isn t kissing up; if your priorities aren't aligned with the company then neither are you or the information security department. 2. Product development Security teams have a vested interest in making sure their organization creates products and services that are secure and protect customer data. But often times security professionals don t know what project their colleagues in product are working on until the project is nearly complete, making security protocols difficult to include. In fact, the product team may have to abandon or rework features after meeting with the security team. To avoid this scenario, which wastes time and money, CISOs should meet with product development and learn about their projects. This allows security to raise concerns and product to address them early in the development process Cybereason. All rights reserved. 4

5 3. Finance Information security requires a budget, which means asking the finance department and CFO for money. When trying to justify a security expenditure to the CFO, show that spending this money is less of a financial risk than not addressing the vulnerability. Remember to center the conversation around the financial benefits since finance departments only think in terms of money and avoid technical jargon. If CFOs better understand what the CISO s challenges are and how additional fiscal resources could mitigate them, they could be more inclined to approve additional spending requests or at least make some capital available. 4. The board and other executives CISOs need to show how information security benefits one or more of these areas when talking to the board and other executives: risk, cost, customer satisfaction, strategic value, employee efficiency and revenue. Those are the only items that really matter to them since they all impact an organization s success. CISOs avoid talking about technical details when speaking to these groups. The CEO and your board don t need to know about server configurations or the nuances of the organization s patch management strategy. But they do need to know if the company can muster enough servers to prevent a DDoS attack and has patched the Windows vulnerability that lets attackers use the EternalBlue exploit. Learn about company culture Company cultures and who has the authority can play a role in the CISO s success. Some soon-to-be CISOs or CISOs are used to and thrive in control cultures with top-down power structures and strict hierarchies. Then they join an organization with a competence culture where the subject matter expertise is the source of authority, not the hierarchy. In these environments, CISOs may struggle with trusting their colleagues since they re not accustomed to loosely defined power structures and, to their determinant, waste time fighting this culture. CISOs who focus on trying to fix credibility and reliability tend to work harder and in more isolation without much positive impact Cybereason. All rights reserved. 5

6 A better use of time would be to build trust by socializing (there s that concept from earlier) with their colleagues and getting to know them better and understanding if you have the same objectives. Never underestimate the power of lunch. Often time this supposed lack of trust in a co-worker is more of an issue of not being aligned with the business goals. Finally, find a mentor. Everybody needs one. You can talk about idea with mentor and turn to them for advice, something that a newly minted CISO will inevitably need. Mentors can also provide aid in the inevitable crisis and help you network with other security leaders. Regardless of your company s size and industry, there are other security leaders whose insight can help you be a better CISO. Be a storyteller as well as a hero The CISO is expected to wear a hero s cape and stop attacks, develop secure products and protect customer and corporate data. But that s not their only role. Security executives are also at an organization to tell a story about the risks an organization faces and how those risks can be mitigated or eliminated. And this holds true for CISOs at any stage in their career. Remember to balance both roles and you ll prosper as a security executive. About Cybereason Cybereason is the leading provider of behavioral-based enterprise attack protection, including endpoint detection and response (EDR), next-generation antivirus (NGAV), and active monitoring services. The Cybereason solution reduces security risk, provides complete visibility, and increases analyst efficiency and effectiveness. Cybereason partners with enterprises to gain the upper hand over adversaries. Cybereason is privately held and headquartered in Boston, with offices in London, Tel Aviv, and Tokyo Cybereason. All rights reserved. 6