As a CISO, you will find your job requires you to have experience in many areas. As the leading cyber security executive for your organization you will be expected to manage your organizations cyber security suite and lead your team in protecting its assets. In this position you will also work with your organizations departments and in the process meet many of your critical stakeholders.
As you build your human network in your organization, remember these stakeholders are your customers and it is important that you understand what issues they are presently having with your organization’s enterprise network and its current application portfolio.
Your stakeholders will eventually turn some of these issues into business cases for new IT projects. I have seen many of them come before my IT Department’s Technical Review Board as they make their way through my organization’s governance process.
Knowing the context of why these projects are being proposed by your stakeholders’ department and understanding the underlying issues that drove them to propose a solution will help you view their business case with a more informed view.
The reason this is important is that as a CISO, your expertise in security and risk management will be called upon to review new projects or proposed solutions. Many of these projects will be to assist one of your stakeholders in correcting an issue that is interfering with them being able to provide services to your organization and its customers.
Sometimes your stakeholders will propose projects that incorporate new technologies. As the CISO, you will have to decide the risks involved in using these new technologies and whether they are a good fit for your organization’s technology roadmap.
As CISO, I firmly believe part of your job is to not say “No” to projects that don’t quite meet your organization’s roadmap. Instead, I believe, as a CISO your job is to say “Maybe.” This leads you to looking at proposed IT projects with a critical eye to ensure they induce the least amount of risk to your organization.
However, you still have to remember there is a business reason for the project so you will need to think of alternatives. Sometimes, to do this you have to remember the reason why these projects were being proposed, and what “issues” they are to solve. Your job in your organization is not to stop it from doing business, in fact I look at cyber security as a business enabler. We provide the foundation to build your organization’s IT portfolio on and then keep it safe.
Part of keeping your organization safe is being able to answer the “Maybe.” I have found being able to do this involves being knowledgeable of new technologies and the risks involved with old ones.
I constantly do this by attending classes, training events and start-up incubators to see new technologies and how to add them to legacy networks. I have found that to be an effective CISO for your organization you must be able to say “Maybe” when needed and give them an alternative to succeed.