52 Things CISOs Should Think About
Christian Hyatt
CEO & Co-Founder | risk3sixty | Harmonized security compliance programs across SOC 2, ISO 27001, PCI DSS, FedRAMP, AI, & Privacy
As a CEO, Entrepreneur, and Security Leader I spend a lot of time thinking through challenging business, personal, and security problems. For me, thinking often means writing. So here is a compiled list of some of the things I'm working through. If you are a Security Leader, I hope the topics below help you on your journey too.
Follow This Weekly Series
This is a weekly series. Every week for 52 weeks I will write a LinkedIn post on one of the topics below. I will link to that post in this article for quick reference. You can follow me on LinkedIn to follow the journey.
Start: The 52 Part Series
A Structure to Run a Great Security Team
This is a 5-part framework that I call the "Security Team Operating System". I wrote a guide and have a video on it. Check it out here.
1) Define your security team's purpose in alignment with the business's objectives (Link to Post)
2) Defining core values for your security team (Link to Post)
3) Defining roles and responsibilities for your security team (Link to Post)
4) Establish rhythms so your team is always on the same page (Link to Post)
5) Setting and achieving goals (Link to Post)
5 Core Skills for Security Leaders
I wrote a 5-part blog series on core skills for CISOs. You can read that whole series here.
6) Understand your Security Leadership Style (5 CISO Archetypes)
7) What is the role of a CISO? (Link to 5 Part Series)
8) What is the right security organizational structure? (Link to Post)
9) How to develop a security budget (Link to Post with Template) (Link to Post)
10) How to make a business case for security resources (Link to Post with Template)
Essential Leadership Skills
11) Effective Time Management
12) A Lesson on Organization Change Management (Link to Post)
13) Delegate and Elevate (Link to Post)
14) What should security leaders focus on? (Link to Post)
15) The burden of uncertainty is yours (Link to Post)
16) Earn the respect of Executives (Link to Post)
17) You need a peer group (Link to Post)
18) Don't spend all of your time thinking about security (Link to Post)
Taking Care of Yourself
19) How to establish professional boundaries (Link to Post)
20) Tips for personal brand
21) Leaders need to stay healthy
Communication Skills for Security Leaders
22) Tips for Executive Presentations
23) Tips for Public Speaking (Link to Post)
24) How to Complain Effectively (Link to Post)
领英推荐
People Skills
25) How to have effective coaching meetings with people you manage
26) How to have hard conversations
27) Leaders Need to Be on Repeat
28) How to Have Executive Presence
29) The Power of Positive Leadership
30) Leading in a Crisis - like a security breach
31) Tips for Hiring
32) Tips for Firing
33) Avoid weak language (Link to Post)
34) Lessons Learned From Failed Promotions (Link to Post)
35) How and why to see things from the business's perspective (Link to Post)
36) How to delegate to your team (Link to Post)
Resources and Tools
37) List of leadership tools and resources
38) Books every leader should read
Working with Vendors
39) Choosing Good Vendors (Link to Post)
40) Negotiating with Vendors
41) Holding vendors accountable and getting what you paid for
42) How to maintain great relationships with your vendor
Good Questions to Ponder
43) Who should the CISO report to? (Link to Post)
44) Is "CISO" an inflated title? (Job Description, Discussion)
45) Who owns the risk of a security breach? (Link to Post)
46) Who owns security regulatory and compliance risks?
47) Why do CISOs get fired when a security breach happens? (Link to Post)
48) Should CISOs have independent legal council? (Link to Post)
49) How CISOs can partner with CEOs (Link to Post)
50) How CISOs can partner with CIO/CTOs
51) How CISOs can partner with CFOs
52) How CISOs can partner with General Counsel
Work with risk3sixty
If you are looking for a security and compliance partner for vCISO, SOC 2, ISO 27001, PCI DSS, HITRUST, or Penetration Testing - we would welcome the opportunity to work with you. You can reach out to me on LinkedIn or Contact Us.
Governance | Risk | Compliance | Cybersecurity | Standards | Auditing
1 年@ Christian Hyatt I completely agree with you. Connecting the essential dots early is valuable. The best time to know who your neighbours are shouldn't be the day your house is on fire.
Strategic cybersecurity and risk management leader driving growth, innovation, and trust.
2 年Great article, Christian Hyatt. The question that I always ask and would like to add to your article here is: What's next for the CISOs (asking themselves) once the highest levels of achievements have been reached? This is what I value the most in the mindset of what I call the "visionary CISO", and that's something you don't get by passing a certain certification exam or attending a certain course or a conference!
Chief Technology Officer @ risk3sixty
2 年This list of questions (with exception of a few) and weekly series can be applied to any leadership role - not just the CISO. This highlights things that every leader (or aspiring leader) should be considering and doing.
CEO & Co-Founder | risk3sixty | Harmonized security compliance programs across SOC 2, ISO 27001, PCI DSS, FedRAMP, AI, & Privacy
2 年If you are looking for the more technical aspects of being a security leader, check out my other weekly series on building a security program: https://www.dhirubhai.net/pulse/how-build-grc-program-year-christian-hyatt/
I help cyber & business leaders with Securing Things (IT, OT/ICS, IIOT, digital transformation/4.0 journey, & AI) & share everything I learn at securingthings.blog | securingthings.academy
2 年Christian Hyatt, great list. Am not 100% sure about the specific direction you want to take. However, based on the title of the post, believe some key items/questions from the list, for which a CISO should be thinking along, are missing: I'd add the following to the list of questions CISO should be concerned off (in no particular order): - Do I understand the Business am responsible to protect? If not, who can help me explain this? (assuming one should already have some idea about the business they are joining in advance - reality maybe different for many) - Do I know or understand the end-to-end business processes and flows? - What is important for the business? - What's the Risk Tolerance for my business? Who should confirm this from the executives/board? - Where are my crown jewels in terms of assets (data / information / system)? - What are my key data flows, in what format/how its shared within and outside of the organization? - How do I map/know the business interactions points within or outside of the business with customers/suppliers (possible threat surfaces) Hope this helps.