The role of the CISO is changing. We hear about it every day: CISOs must become more business oriented and fine-tune communication skills so other executives consider heads of security business equals.
The industry talks about how CISOs are in a “unique” position: A CISO can’t just be a business executive; she must also have technical acumen, the ability to understand how firewalls and SIEMs work, and maintain the skills that allow her to step in during an incident, if needed, to contain attacks and eradicate the threat from affected systems.
This is not a unique value proposition, however. Aren’t the best Chief Marketing Officers and Chief Sales Officers and Chief People Officers also executives who have worked in coordinator, manager, and/or director positions and understand what it takes at a task level to make those business units successful?
The trick to becoming a great CISO is to become a great leader. And leaders know their craft at a tactical level as well as how to operate at a business level. Says Michael Santarcangelo, leadership and communications expert, “To be effective, security leaders need to be integrated. You can’t do that from your ivory tower.” While CISOs might not be in quite the unique position they believe they’re in, abandoning the technical skills and domain expertise built up over the years is not the way to grow into a more effective leader who can help the security team ward off threats and minimize damage from the abundance of risks headed their company’s way.
Would you capture it, or just let it slip?
A good leader—security or otherwise—is an enabler, providing the support and guidance that allows team members to perform their jobs at the highest level. Team members should feel empowered to make decisions but not afraid to bring a problem or issue to the CISO if that problem or issue requires a different viewpoint, a deeper level of knowledge, or even just the executive sign off necessary to push a decision or action through.
Too often, security leaders are afraid of being perceived as heavy-handed or a micromanager. As a result, they focus on the high-level, strategic aspects of the job and end up ignoring what’s going on day today—who is doing what? How are projects progressing? Are deadlines being met? Is work being done with accuracy? Is everyone on the team doing what they’re supposed to and working towards the same goals as the rest of the team, which is therefore in alignment with the strategic direction of the company? These are questions a good leader should ask daily. If he can’t answer these questions—if she doesn’t know who’s working on what when—then strategic goals won’t/can’t be met and the security organization is going to end up putting the rest of the company at risk unnecessarily.
Go capture this moment and hope it don’t pass
A well-oiled security machine doesn’t run on talent alone. Many security practitioners like the “individual contributor” role and would prefer to sit quietly behind a keyboard, engaging in meetings and collaborating only when necessary. The thing is, collaboration is always necessary when it comes to security. An effective CISO recognizes that, fosters collaboration, but gives individual team members enough girth to do their jobs in a way that works them, as long as the end result is heightened information security for the organization.
Learning to become that leader is a tightrope walk. A very delicate balance exists between allowing a person to work inside his own comfort zone and meeting corporate goals when it comes to protecting the organization’s data. This is where it’s especially important for CISOs to know team members inside and out, keep an eye on the work being done (or not), and understand if any of the technical elements are lacking. If a company discovers it has been breached, a CISO can’t simply report to the CEO and/or board, “Arthur really doesn’t like to share what he’s working on,” or worse, “I had no idea Arthur wasn’t checking log files daily.”
If all of this sounds like a big job, it is. One missed alert, one misconfigured firewall, and the whole company suddenly is CNN Headline News. A sales leader whose team comes up short on revenue for just one quarter has the ability to bounce back the next quarter. A chief marketer whose team sends out an email blast with a typo or incorrect information may have some egg on his face, but the company isn’t sunk because of it. Very, very few braches have resulted in bankruptcy or even firings (to date), but despite the stock price rebound of even the biggest breaches, most breached organizations face serious consequences. Those consequences might only last a year or two, but they absolutely hit the bottom line and can negatively impact peoples’ lives (think: Sony and stolen identities).
You own it, you better never let it go
CISOs can’t only become better communicators and business executives. The job requires a lot more than merely tying security’s goals to business goals. A CISO needs to know what his team is working on and by what technical means objectives are being met. She needs to inspect specifics occasionally and ensure processes are being followed and fine-tuned as the threat landscape evolves. Contrary to some peoples’ beliefs, this isn’t micromanagement; it’s having a grasp of what’s really going on in the organization. Without this knowledge, a CISO can’t expect to lead a team that has even a remote chance of successfully protecting the company from the biggest and baddest threats. Because we don’t always know what’s coming at us from a security incident perspective, a security leader should—at the very least—know and have the capability to handle what’s happening day-to-day at a team and capability level.