Life as a Chief Information Security Officer can oftentimes be hard on the ego.  It is surely one career in which it is easy to fall in to an identity crises (which is a different “identity management” than we are used to dealing with).

How many times have we heard that the position of a CISO is a thankless one? How often do we as CISO’s go virtually unnoticed when all is well, only to find out that we are the main culprit (dare I say “target”?) when there is an incident?  A wise security sage once told me it was like being an umpire: you never get noticed until there is a bad call.

We can change that, and we have opportunities provided to us regularly.

We are all familiar with the greatest hits of 2014: the Heartbleed panic, XP’s end of life, and yet another IE issue. We could add a few more, but that would be for another article.

However, if you are like me, information security garnered a great deal of attention when these security concerns made it in to the mainstream media.  As a result, for a few days after each event, my phone rang numerous times from members of my community that I rarely get an opportunity to engage with, my daily email stream became a deluge, and requests for my guidance and opinions observed a dramatic increase.

For about 72 hours after each of these events, the CISO became the rock star.  Yes, a rock star.  Everyone wanted my opinion on how such events impacted our organization.  Several of them wanted to know what they should do personally.  Another subset actually took the opportunity to dig deeper into other areas of security.  Now, truthfully, how often do you get to have meaningful conversation with the people you secure about overall information security?

So what does this mean to us as security practitioners?  It means that those we serve look to us for guidance.  They want to know that we are there to help them, and they understand that we are the go-to people when their lives are impacted through technology.  We are the ones they rely upon to cut through the noise, hype and jargon.  More and more of our communities are realizing that technology is no longer just a tool for their use, but it has become something they must pay attention to relative to security and privacy. We are the ones with the answers for them.

So when the next unexpected security event hits us, and our schedule and routine gets completely pushed aside for us to address yet another issue, prepare for the calls and requests that you will receive from a curious or panicked community.  Encourage these calls.  Tell them that you are there to help, and are happy to provide the insight and sense of calm that they need.  For a few days, be thankful that you are the rock star that they are looking for, and that you can fulfill this role.

You are a rock star.  Really!

David Sherry is the Chief Information Security Officer at Brown University in Providence, RI.  He has institutional responsibilities for all areas of information security and privacy, and plays a key role in the records management program, regulatory compliance, and copyright law.  Prior to moving to higher education he spent several years in financial services, with responsibilities for enterprise security governance and regulatory compliance, access controls and operations, identity management, and the security awareness program.  A graduate of Providence College and Northeastern University, with certifications of CISSP and CISM, he is a frequent conference speaker on emerging security topics and best practices, as well as a guest-lecturer throughout the academic year at several New England institutions.

Leave a Reply