Recently I have begun to think about the strengths that make a good CISO. Some of those include technical understanding, business acumen, strategic vision, collaborative mindset, risk management mindset, and probably many others that I missed.
These are traits that are similar to ones found in very successful security entrepreneurs. As I look across the spectrum of CISOs from where they were, to where they are, to where they are ending up late in their careers, I am beginning to think that the CISOs with an entrepreneurial mindset are the ones that tend to be the most successful in meeting the needs of their organization. If you think about it, there are a lot of synergies between entrepreneurial security people and corporate CISOs.
As an entrepreneur in security, you have to think not just about today, but about tomorrow and the years forward. You try and determine what the environment looks like today and how it is going to change tomorrow.
It is impossible for you to go into a bubble and come up with how to provide the best technology or service to your customer. Therefore, you go out and collaborate. You work with them to show how you and your team will provide the best value for them as a customer. You work diligently to understand their business, how it operates, and how you can best integrate to support it. At times, you will make business decisions based on certain risk, whether it be monetary or reputational risk. You market yourself and your capabilities. You constantly relay messages to your customers on how you provide value to them and their bottom line.
So what’s different about being a corporate CISO?
Not much if you ask me. On a daily basis not only do we as CISOs deal with operational items, but we must ask about tomorrow and beyond. How will what we see today change? How will this affect us as an organization tomorrow? What is your three-year plan to reduce our risk, etc.…?
No effective CISO does these things alone. We do not go into a corner and come up with “Our Plan to Save the World,” we collaborate. We connect with our peers at industry events. We work with industry leaders that get insight from across other mediums. We subscribe to email lists, LinkedIn groups, we follow industry veterans on twitter, and even listen to podcasts.
This sharpens our skills as it does that same entrepreneur. But wait, that’s not it. We similarly then go to our customers (internal or external business users) and find out what they want and need from us.
We work on how to provide value to their business and reduce their risk posture to meet their risk tolerance. We market to them the capabilities that our groups can provide. We talk to them about how we can be a positive impact on the business initiatives that are important to them. We talk about how we want to grow with them and enable them to be a better business, thus positively impacting their bottom line.
Hmmmm, sound familiar? It should.
If you are a CISO and you realize that the things you are doing do not sound similar to either of these, then you may not be providing your company the best of what you can or should be providing.
As a CISO we have a creed that no one really talks about much these days. That creed is about ensuring we are providing value to our customer and our organization. That value can vary depending on many variables, but nonethless providing value is key.
Many of us are so focused on getting the title that we lose sight of our purpose. If we each provide value to our organization, then we inherently provide value to others through our own organization.
It will take all of us collectively to win the battle that we are fighting. It is truly an uphill battle with no end in sight. However, if you take on the mindset of a security entrepreneur, you will begin to show value to leadership, your team, your customers (internal or external), your peers, and the industry as a whole.