What may surprise you is that, despite all of the advances and changes in the technology and cybersecurity industries over the past 10-plus years, the advice I gave is not only still relevant, but these areas are still top concerns — with some new twists.
As a quick summary (although I do recommend reading that entire article), here are the top five pitfalls I presented in 2013:
1) Becoming “Dr. No”: You’ve made a list and checked it twice. Now you’re ready to use your newly acquired security power to shut down all the bad things that are going on in your enterprise. Be careful …
Despite the natural security leader urge to get the hammer out, you don’t want to be known as the “party pooper.” Your goal: Be known as an enabler of secure technology and innovation.
2) Not building your professional network, 360 degrees: New security leaders need to think about building trusted relationships with all parts of the org chart (from superiors to peers to front-line staff). Get out and meet your customers. Get your face known in the appropriate circles. Get involved with key enterprise committees and workgroups during the first year. Walk around. Leave the office. You’ll be glad you did.
3) Focusing only inward for too long: No public speaking, no blogging, no social media, no external committees. This area is similar to No. 2, but external to your organization.
Positive PR (both internally and externally) takes time and work — but start early. It will help you and your team when times get tough. Positive communication and good stories of your team’s success need to be a part of your plan to succeed.
4) Poor vendor management/relationship habits: You can “fall off of the horse” on either side of this external partner problem. Some security leaders spend all their time with security product and services companies, building road maps, life cycle plans, new upgrade strategies and more. They make meeting with the never-ending list of well-established companies and hot new security startups their full-time job. Some openly favor one or two particular companies based on past experience or personal friendships.
Others do the opposite, thinking they know better than everyone else or that security vendors are their major problem to overcome. They avoid meeting with vendors, because they can take up a lot of your precious time.
5) No mentor: For some reason, many new security leaders think that either they can go it alone or no one has done their particular job before or they don’t have time for an external mentor.
Bad move. Find a trusted, respected mentor as soon as possible in your new role. It will help in numerous ways. And someday, return the favor and mentor one or more new leaders.
UPDATES FOR 2024
So what’s missing from this list?
A common, but nevertheless accurate, perception that most new CISOs have is that they need to do a baseline risk assessment of the enterprise. This is something that most new CISOs get right because it is often required and/or necessary to measure progress against metrics.
But what may not be as obvious or common is assessing your people in addition to the processes and technology. No doubt, many new cybersecurity leaders need to know about audit finding, controls in place (or not), identity management, frameworks implemented (like CSF 2.0), processes that are working well and those that are not, and other risk area checklists.
A few “people-related” tips:
1) Surround yourself with experts who can strengthen your weak areas and help with blind spots.
2) Build a team that works well together. Especially important are those who directly report to you. (Side note: This is why so many head coaches in college and pro sports bring their staff with them when they switch roles. Smart leaders understand the importance of trust and how the entire organization can sink or swim based on the speed of trust within your leadership team.)
3) You can even measure your progress on how relationships are working in a 360-degree manner. For details on how to do this, see this article on how to evaluate CISOs.
This topic of developing a team is one that, while on the minds of many new security leaders (whether CISOs, security directors or whatever the title), is often very difficult to achieve in our current environment where security talent is hard to attract and retain over many years. This can be especially true in the public sector where the pay, benefits and stock options are often lacking.
Still, as I have written many times, I would rather have a team of capable, trustworthy, hard-working security pros than a team full of security “rock stars” who are outstanding — but whom I do not trust.
Other security leaders only hire people who are not as good as them, fearing that they will be outshined.
The point: You can fall off this horse on either side, but put time into selecting and supporting your team.
And before I wrap up this blog, I want to point you toward common reasons that all security pros can fail, which overlaps with this CISO success and failure topic list in several respects.
FINAL THOUGHTS
When I posted a LinkedIn version of the 2013 article, I received many comments. Several of those were about CISOs who had good management experience but without adequate technical skills. Here was one comment from Jean Pawluk:
“Well stated. I [am] starting to see too many CISOs though who have absolutely no technical background, who just don’t understand security, become obstructions because they spend 99% of their time managing up instead of learning about the security needs of their orgs or preventing problems from occurring in the first place. They rather accept almost all risk since they think it’s cheaper to pay later.”
My response: “Jean - I totally agree. I think you can fall off that horse on either side. Either not enough technical prowess or others who struggle to connect with senior management and the business. One of my points is that, in reality, it is even more complex than that. There are five (or six) sets of relationships and skills that need to be examined.”
Bottom line, every new CISO brings strengths and weaknesses into their leadership role, but we can still learn from the experiences of others and avoid the traps that you will inevitably face.
