Congratulations! You’ve finally arrived.
After receiving a hard-earned degree(s), passing the right test(s) to earn the relevant certification(s), working hard for years in different analyst/ specialist roles, slowly moving up the org chart for one or more businesses and gaining the respect of your professional colleagues in the process, you now have achieved your goal. You have entered the guild of professional security leaders.
Perhaps you just landed your dream job as a chief information security officer (CISO), director of IT security, security operations center (SOC) manager or cyber supervisor within a new company. Or, maybe you were recently promoted to that all-important leadership spot within the same government office that you’ve been at for years. Others come from a technology or business manager role in other parts of the organization and have moved over to the red-hot field of cybersecurity for any number of reasons.
But regardless of how you arrived in your new role, you’re excited about the opportunity. This has been a long time in coming, and you have developed a plan. You are determined to be successful and fix all the things that you suspect are “wrong.”
You’ve spent time thinking about new strategies for the company networks, the staff, the enterprise architecture, the misplaced security priorities, the budget, the vendor product selections, the training, the priorities and/or anything else. You are determined to make a positive impact in your first year, if not in the first six months or even first 100 days.
What can possibly go wrong?
First of all, let me reassure you. You are not alone. Many of us have been where you are now.
Everyone in a position of authority remembers back to the first time they were in organizational leadership. (Yes, I know that we can all be leaders in any role, but I am primarily referring to supervisors over people, or managers over supervisors, or directors over managers or perhaps even a chief over directors. No doubt, some new security leaders are one-person operations with dotted lines all over the organization.)
Second, lots can go wrong. External factors from breaches to budget cuts to losing key team members are often out of your control in the early days.
Third, you are on probation – whether formally or not. Hopefully, you have a boss you like (and who likes you) and a wider executive leadership team that is supportive and gives your enough time to grow in the role. If not, you already have one or more strikes against you before you begin.
Nevertheless, let us focus on the positives. What are the things you can control and need to watch out for? What common mistakes have I seen new security leaders make over the past two decades?
I have been blessed with the opportunity to work with public and private organizations from around the world such as Mantech International, MS-ISAC, InfraGard, NASCIO, federal agencies, foreign governments and more, so this is not focused on our current security team in Michigan.
Before I start, please note that I am not saying these should be your top five security priorities. That’s a different post for another day. There is also another list of items that most new security leaders get right – such as doing early risk and skills assessments. I am saying that I consistently see new security leaders fail in the following areas.
So what are the most likely mistakes new cybersecurity leaders make?
1) Becoming “Dr. No” – You have made a list and checked it twice. Now you’re ready to use your newly-acquired security power to shut down all the bad things that are going on in your enterprise. Be careful…
Despite the natural security leader urge to get the hammer out, you don’t want to be known as the “party pooper.” Your goal: Be known as an enabler of secure technology and innovation.
I learned this lesson the hard way, and you can read the story about how I was almost fired early in my career as Michigan’s first CISO when I opposed WiFi a decade ago for security reasons. Of course, today's technology cutting edge has moved on to BYOD and the cloud, but the same temptations exist to veto new things. If you want to learn more about this wider “getting to yes” topic, read about seven common security career challenges – which is not limited to just security leaders.
2) Not building your professional network, 360 degrees – New security leaders need to think about building trusted relationships with all parts of the org chart (from superiors, to peers to front-line staff.) Get out and meet your customers. Get your face known in the appropriate circles. Get involved with key enterprise committees and workgroups during the first year. Walk around. Leave the office. You’ll be glad you did.
3) Focusing only inward for too long – No public speaking, no blogging, no social media, no external committees. This area is similar to #2 but external to your organization.
Without a doubt, a top priority for new cybersecurity leaders is to be accountable for data protection, that means and back-office efficiency for people, process and technology. However, the common view that it takes 6-12 months or more to “get your act together” before getting out of the office is a mistake. Building the right connections in the relevant industries will harm your career and your credibility.
One example: My boss and Michigan CIO David Behen created a “CIO Kitchen Cabinet” as a private sector advisory board with Fortune 500 businesses in Michigan when he first started his new role. He challenged me to do the same in security, and we set up an external “CSO Kitchen Cabinet” – with 15 or more outside security partners. It was a great idea, and it helped us launch the Michigan Cyber Disruption Response Strategy in collaboration with the private sector.
Postive public relations (PR) (both internally and exernally) takes time and work – but start early. It will help you and your team when times gets tough. Positive communication and good stories of your team's success need to be a part of your plan to succeed.
4) Poor vendor management / relationship habits – You can “fall off of the horse” on either side of this external partner problem. Some security leaders spend all their time with security product and services companies - building roadmaps, lifecycle plans, new upgrade strategies and more. They make meeting with the never-ending list of well-established companies and hot new security startups their full time job. Some openly favor one or two particular companies based on past experience or personal friendships.
Others do the opposite – thinking they know better than everone else or that security vendors are their major problem to overcome. They avoid meeting with vendors, because they can take up a lot of your precious time.
A related but different challenge is an “all or nothing” approach to advisory services like Gartner and Forrester, who provide magic quadrants and advice on cybersecurity and technology priorities, strategies and industry trends.
Of course, getting the right time balance regarding contracts and contractors is the goal. But only experience will ultimately build trusted partnerships in this space (but some training can also help). My advice is to surround yourself with experienced pros and internal support staff (such as legal, procurement, technical experts, etc.) to guide your through this potential make or break vendor fire swamp.
5) No mentor – For some unknown reason, many new security leaders think that either they can go it alone or no one has done their particular job before or they don’t have time for an external mentor.
Bad move. Find a trusted, respected mentor as soon as possible in your new role. It will help in numerous ways. And someday, return the favor and mentor one or more new leaders.
In conclusion, there are plenty of resources online to help new (and veteran) information security leaders solve problems. One of the best websites for answering specific questions is: www.infosecleaders.com. While I don’t always agree with Lee Kushner's and Mike Murray's answers, I usually do. I highly recommend taking a look.
Most of all... WELCOME ABOARD!
And enjoy the journey.