My reflections as a CISO

Stepping into the management role can be a daunting task. In this article I will do my best in explaining how my experience has been, going forward as a Chief Information Security Officer (“CISO”). 

The management role

OK, you have to face it, you are no longer the security techie nerd that can dig yourself into a bunch of logs for several days at a time. You are now expected to make plans for the time ahead, risk assessments and figure out where the business are in terms of security. You are expected to own the security area, and have clear and concise plans on how to bring the business further.

This task can seem daunting at first, however you should be up for the challenge if you have been accepted into such a position.

Being a part of the management also means you should try to be visible, show commitment and have confidence in the plans ahead. Security is a lot more than just technical speeches and finding out which boxes to buy. A very big aspect of the job is spreading security awareness, and in order to do this you have to be at least somewhat of a people person! Over my engagement so far, I’ve listed a few things that will help me stay visible:

  • Don’t bunker in your office all day. Get out there, and get chatty! Open your office door and the blinds on the windows.
    If people see you as an open person, you lower the bar on coming to talk with you regarding security issues. Who do you think knows the most of the current security landscape, the employees or your firewall? Overall you want employees to consider you as someone they can trust in disclosing security issues with. You do not want them to feel like they are going to the police, reporting some offense, and risk being jailed themselves.
  • Talk to people and introduce yourself and your work. Show your enthusiasm regarding your work, and explain why security is such an interesting field of work. If you can get them infected with your own enthusiasm, you will have a very positive epidemic on your hands. Remind the employees that “providing good security is providing good service“!
  • Encourage employees to come talk with you, especially regarding security concerns and issues. Let them know that you are a person they can talk privately to, between 4 walls and 4 eyes. You should not be hard to reach.
  • Stay visible by sending out monthly newsletters. The OUCH! newsletter from SANS (www.securingthehuman.org) is perfect for this. Remember that each newsletter is a perfect chance to to reinforce security policies and encourage staff in talking with you, or reporting security issues.

Another important thing is that you should be really careful not to be too much hands-on in your role. Security should be baked into the business processes as natural as possible, not something everyone points at, expecting it to fix itself! Implementing security this way, the proper way, is a truly challenging thing as many people in your organization may think that you are here to solve things for them. As a rule of hand, and an analogy to security work, I’ve always said to myself: “You’re not the dust boy, cleaning up after everyone else. Instead of cleaning up the kitchen chef’s spill, you must teach them how to properly work the kitchen. You’re here to help them make better food, prevent spill and help them clean up after themselves.

When people approach me saying “Hey Chris, your a security guy right? I have this thing…“, I interrupt them immediately. I tell them that I am not the only security guy, you are one too! The business expect it from you, and we really need stay security aware today! Security is not something we point at, but something that should be incorporated.

Reporting – Don’t be a victim of the security roller-coaster

If you do your job perfectly, management will never have any security issues to concern about, and everything should be great, right? You’ll get the budgets you want, increase your team size and be in a secure position at the firm!

No, not really. If everything is great, all the time, you will have less of a chance to defend your budget, position and team! Why? Because no one will know about all the great stuff you accomplish everyday while defended your organization. Remember that hacker your team stopped, but you didn’t bother take credit for? We’ll unless you explicitly let your organization know about this, they wont know about it, thus the possibility of the leadership thinking your position may be surplus arises.

But hold on, I am not saying that you should have something bad happen to you, so you can be the white horse vigilante who swoops in and saves the day. No, to the contrary, you should do what many security leaders don’t do, report on all the stuff you actually accomplish everyday! Report on security events hitting your firewall and IDS, the script kiddies you’ve stopped and viruses blocked. Most likely you being attacked all the time, perhaps several times a day, but your team, security solutions and budget is managing to fend it off. You need to report on this!

So, what is this security roller-coaster? The idea is that if you don’t report on all the great stuff you are providing the business with, you may be the victim budget cuts and lay-offs. If upper management gets the indication that everything is so perfect, they may get the idea that they don’t need a designated security department. While you may advocate for increased security budget to win the war, they may instead cut it. They may even dispose of your position because everything is so great!

If they decide to run without your position and your team, they will probably fall victim of a compromise during the months to come, thus hiring a new CISO may be their decision. This is the roller-coaster effect. You go up, things are looking nice, then you come down.

Remember that the business has made an investment in you. They want a security manager who makes sure they don’t get compromised, or in some way get bad media for having poor security. You have to report on all the great things you do everyday to accomplish this. Make sure they know you are a good investment!

Want to become a CISO?

These are my thoughts to any aspiring CISO’s out there. Be sure to know what you are going for. This is not necessarily a techie position, however you are mostly making up your own days. It is important to know you are expected to focus on business and strategy, leaving less open time to do hands-on technical stuff (which so many of us love!).

You must also expect doing a lot of paper work. Security decisions should be anchored in policies which can be easily referred to. In many cases these policies needs to be properly approved by the organisations management, so be ready for some paper shoveling. Another thing on paper work is that you will probably be working on some form of Information Security Management System (“ISMS”). Usually these frameworks require a great deal of documentation to successfully implement. Don’t feel discouraged from this though, as you will most likely find it very rewarding being able to seal the deal with having management approval of your policies. Having a document to point at when referring to security decisions is really useful!

You should also be advised that once you climb the organizational food-chain, you will be doing less and less security work, and more and more time telling others what to do. You should be confident that you can appreciate delegation instead of doing it yourself. Remember that good leaders delegate! Delegation will free you up to tackle the truly important challenges in your business. After all, you will be able to do follow up on the delegation you have done, and that may allow you to get a bit technical and sometimes your hands dirty!

When you are working as an engineer, architect or something similar. the job is very much about ‘you’. You are the hero, the guru, the expert, etc.  When you move into management it’s all about ‘we’.  It’s no longer about you – it’s about your team!

Final words

If you are an aspiring manager, don’t give up! Let everyone, and I mean EVERYONE, know how you feel about security. Let your passion shine through and make your enthusiasm rub off on others. Take action and lead! Sometimes pointing at things is not enough, you need to do it yourself.

To any current managers out there, I really do hope you avoid the security roller-coaster, and that you found my thoughts helpful. Remember that a good leader enables their team to make their own decisions. An effective team jumps at opportunities, instead of just ‘doing what we’re told’. That culture comes from you!

I encourage everyone to leave a comment with your thoughts. Follow me on Twitter if you’d like to hear more from me! Thanks for reading!

Share
  • chr

    I really enjoyed your article. I’m currently pursuing a ciso like position, never done stuff at that level but I’m pasionated about infosec and I do like challenges. Thanks for sharing it

    • Awesome buddy! Let me know if you have any questions 🙂 Good luck pursuing your goals!

  • Christophe Pradier

    Nice reading, that resembles my own experience as a CISO.

  • David Sirman

    This article provides extremely good information & an honest perspective. I am about to enter InfoSec as career & have aspirations to become a CISO. My goal is to enable & empower others, not to be the techie doing it myself. I think from your article the most challenging things for me will be to resist doing it myself & learn to delegate. Any suggestions concerning career path to CISO, particular areas of expertise to focus on, skills & certs to acquire?

    • Hi, thank you for your feedback! I wish you all the best luck in pursuing your infosec career! I am glad you could learn something from the article and hopefully it will motivate others as well.

      Regarding what certs to acquire, I was actually looking for an article I read a couple of months ago regarding which certs was considered the highest value for the different types of security jobs. It’s too bad I cannot find it now. I do however think there is many ways to Rome; there is not a definitive set of certification you need to get started. On the other hand, I’ve heard that CISSP is very valuable for CISO’s, and it is often considered a minimum.

      Good luck David!

  • MarkB

    A few comments on your very well stated perspective…

    You will likely find that others will expect you to be the leader of all InfoSec programs and activities. This is good, but make sure that you also tell them what that means. Within the company or division, you are the one true professional who can be expected to apply the security best practices to this business line. You are that leader with one foot in both boats, the business goals and objectives, and the security methodology and practices. Your mission is to ensure that the business can fulfill its goals without losing the IT assets (data, applications, systems, networks, end nodes).

    Security for the sake of security is done by external agencies – security as a service businesses. Conversely, internal security programs are there to make the company “does our business securely” … business comes first, and security is expected to be flexible and creative in protecting the company’s assets.

    Last point – As the CISO, your work and guidance allows all other business leaders in the division to make risk aware decisions. This means that if business line A decides to take on high levels of risk in pursuit of big rewards – the business manager who makes that decision, manager of that business lines -owns both the reward and the risk. Don’t for a second allow anyone to think they can get the reward for themselves, and dump the risk (and impact of a loss) on the CISO. The CISO does not own the risks, but the CISO does identify, measure, and report the risks to the management team.

    • Thanks for commenting MarkB. I like your thoughts a lot, and I really appreciate you sharing your thoughts with me and the community. Your comment could’ve easily been banked into my article, I like it! Thanks again 🙂

  • Pingback: Mi reflexiones como CISO #EN | Noticias de Segu...()

  • Your article I should say came through my browser at the right time. I am currently pursuing a Masters in IT Management and my mind is made up on my thesis being on System Security and Audit. Problem however is I have no idea what angle I should start on so as not end up with a very shallow or rather obvious research path. Any pointers would really be appreciated.

    • Hi Macharia,
      Thank you for an excellent question! 🙂

      Perhaps you can research on the security rollercoaster which I discussed in my article? You could perhaps prove my hypothesis? Additionally you could provide research on doing proper risk management and reporting.

      Good luck!

    • Hi Macharia,
      Thank you for an excellent question!

      Perhaps you can research on the security rollercoaster which I discussed in my article? You could perhaps prove my hypothesis? Additionally you could provide research on doing proper risk management and reporting.

      Good luck!

      • Thanks….I think that is a good point to start on. In case of anything will keep in touch as I am already following you on twitter. Cheers!!