Don’t be afraid of failure! That’s a key trait that a successful CISO must possess, says John Whiting, the Global Director of Cyber Risk at global advertising giant Omnicom.

“Not every aspect of your program will succeed at first due to a variety of factors, such as technical, culture and support,” Whiting said. “It could take years before an adoption of what you’re trying to maturate in your program gets truly baked into the culture.

“The CISO is a rough role, depending on which organization you actually report to. If you report into technology, and the company is just starting their security journey, you may have the challenges – especially on the cyber end – of telling your boss that stuff under their management is not secure and needs to be fixed. If you report to the CEO or into legal, you’ll probably have more compliance and audit support natively behind you. So depending on where you report to in the company may help or not help the journey of your success, depending on the industry you’re in.”

Other traits that contribute to a CISO’s success are soft skills, like being able to communicate and convey your program to peers; being attentive to the needs and growth of your staff; knowing how to manage risk; and being knowledgeable about the organizational goals and aligning your program with them, Whiting said.

“You need to be involved as a risk manager, managing the cyber risk of the company, from security operations to architecture, to threat intelligence, data governance, asset management and third parties. It’s a holistic picture,” he said.

A critical part of risk management is what you can mitigate and treat and when, and how you transfer or accept the residual risk for a documented period of time, he added.

Automation of intelligence and incident response, zero trust networking, identity governance and protecting APIs are the top industry trends he identifies.

Whiting leans on more than 20 years of experience in information security and technology. He was recruited to his current position from Omnicom subsidiary DDB Worldwide Communications Group, where he served as the first global chief security officer. Prior to that, he was the director of information security and inaugural business information security officer for Global Corporate at insurance powerhouse AIG.

Whiting served as director of IT and security at Publishers Clearing House at a time when the company was being sued over its promotional practices by attorney generals in all 50 states, making it a high-profile target for threat actors.

Whiting advises fledgling CISOs to have some overarching risk management experience, and soft people skills to deal with staff and colleagues. And lastly – “a lot of heart and passion to deal with finance and budgeting challenges,” he said.

This multifaceted experience has informed his execution of the CISO role by making him operations oriented and business savvy.

“In some of the jobs I had, along with security, I was also responsible for resiliency and accountable for some operations. And I knew what it took to actually operationalize IT and business programs. And because I understood what it took to run the operations, it helped me in talking to constituents on a business level,” he said. “That’s very important these days with the evolution of the CISO, who is much more of a business leader and lobbyist than previously. I also understood about budget constraints and resourcing constraints and how to get stuff done.

“And because I worked at some very large companies that were older and methodical, I was able to transition the soft skills of having good operational manuals, runbooks and standard operating procedures to standardize and make repeatable processes that lead to better security. They’re not security per se, but because it’s driven in a systematic way that’s repeatable, it’s easier to audit and it’s easier to control the security.”

Staffing and having the budgets to retain good staff is the number one challenge facing CISOs today, Whiting said.

“There’s always a resource shortage,” Whiting said. “There’s a lot of leaning on cross-training of other areas and talents, along with augmented staff. But the augmented staff is good for repeatable processes or under the guidance of full-time staff, because they do not have the legacy resident knowledge to help the process long term. Make sure your internal staff are happy and being developed. Take their input on improvements to the program and have them engaged with the constituents.”

He presents his budgetary case by focusing on facts, risk and rewards rather than metrics.

Whiting advises fledgling CISOs to have some overarching risk management experience, and soft people skills to deal with staff and colleagues. And lastly – “a lot of heart and passion to deal with finance and budgeting challenges,” he said.

He also warns them to prepare for the fact that they’re going to get breached.

”Users and constituents are not going to always listen to you until after the fact,” he said. “And you just need to remain calm and deal with that. That’s part of the job of being a CISO. You are a counselor.”

And when that breach happens, “never let that opportunity go by,” he said with a laugh. “A good incident might be a point to leverage your program to get more people aligned with you and to get your budget in.”

At Omnicom, Whiting is involved in every facet of the risk program, interfacing with dozens of teams and corporate to make sure all risks are addressed, and in compliance with regulatory requirements and control objectives. One focus is innovating the management of risk around emerging technologies such as artificial intelligence and robotic process automation as he develops more systematic control objectives to the new risk.

“Automation is the next thing, which is why stuff such as machine learning and AI are top on the list right now,” he said. “The question is, how do we control those risks around them?

Whiting sees the CISO’s role evolving in the direction of a subject matter expert and consultant.

“Most of your high-volume work, such as vulnerability management, security monitoring, pen testing and parts of your incident response, is all outsourceable to service providers,” he said. “That leaves the CISO more time to evaluate the data and the metrics outside of those and evaluate the risk, while at the same time becoming more of an advocate to the business instead of spending your time or your staff’s time monitoring screens.”

Whiting decompresses from the stress of his work with hobbies – classic cars, a passion for cigars (mostly Nicaraguan, Cuban and Dominican), and travel.

“I travel all over the world. I love the Caribbean and I love Europe,” he said.