CISO Best Practices from the Trenches

Throughout my security career one of the most valuable things I offer C-level clients is something they don't get enough of which is perspective. We work across industry verticals, companies of varying size, culture, budgets, strategies, etc... We have the privilege of witnessing spectacular implementations and successes and also spectacular failures and mistakes.

CISOs in my experience are a unique and fun bunch as their responsibilities are changing at the speed of the cyber threats they are trying to defend against. Many are deeply buried in their foxholes fighting a 24/7 battle and rarely come up for air, but when they do I have been fortunate enough to build trusted relationships with them and over the years have learned a thing or two I try to pass on to others.

Below represents an abbreviated list of just a few best practices I've garnished from great relationships with some very special and seasoned security industry executives. They will remain anonymous but if they happen to read this post they will know which one they are for sure.

#1 Keep Your Vendors Close & Your Partners Closer

As my good friend would say, "There are vendors and then there are partners. Partners get on the bus you're driving and will make sure you get to the destination, whereas vendors wave as you pass by." Make sure you know who is a vendor and who is a partner because when the fight is on and you need people around you to go above and beyond, that's the difference maker. These relationships don't come easy and take time to build trust both ways and when successful are priceless because of the resulting friendship and business partnership that endures adversity. Choose wisely.

#2 Keep Your Hand Just Above The Flame

Incorporating innovation from the outside is a tricky thing. Let's face it...no one gets fired for hiring the big consulting firm but that may come at a price of being a step behind the adversary who is using bleeding edge tech to defeat you. This particular CISO took calculated risks with start-ups as a security R&D endeavor to hedge bet and explore ways to achieve not incremental change but disruptive transformation. They were always exploring ways to advance in feet instead of inches, balancing operational parameters to contain the blast radius if it didn't work out. They were able to accomplish this by having a very innovative operational team as part of their staff who were brought in on the strategy and knew how to execute to very defined outcomes measuring the success or failure. The team operated like a machine which every participant appreciated. They were pushing the limits, keeping their hands just above the flame getting slightly singed but not burned which was fascinating to behold the balance it took to drive strategy and their organization's security to the next level.

#3 Be The Heat Shield for Your Team

True leadership is praising your team for successes, owning the failures and protecting your team as a heat shield from all sides so they can execute the mission. Some call it the "whirlwind" or "politics"...I think you all know what I'm referring to here. One particular CISO is an absolute Master of the Dark Arts of "managing up". He's very seasoned with multiple tours at F100 companies and a successful consulting background in between CISO gigs. Recently he showed me his presentation to Sr. Management and the Board of Directors. Needless to say I was blown away by how short & sweet it was and to the point. I think I'm a master at powerpoint engineering but this person is next level. He had one chart that summarized the entire year in numbers and gave the board the metrics and peace of mind they were looking for in terms they understood. If you clicked into the chart, the year was messy but the security team successfully executed the mission without incident. He was masterfully managing up and being a heat shield for his team by presenting the success they achieved at the level the Board needed, providing everyone confidence in his team's operational excellence and sparing them the ugliness of the details. I wish I was able to replicate the chart but I was sworn to secrecy.

#4 If You Pick a Fight, Then Go All In

Change is hard...and if you want it then you have to be willing to die on that hill. This executive wanted to change his organizational status quo philosophy of "this is how it's always been done" to a security first and doing what's right culture. He was picking a fight with a very large peer organization driving this culture of good enough is good enough.

He leveraged powerful data from testing as factual and forensic information to drive root cause analysis of failed processes and philosophy "left" in the SDLC. There were heated debates, politics and a deep rooted history of distrust. This executive used data as the broker of truth and every discussion was centered around how the organization can improve and then we hit a critical tipping point and a great thing happened. The engineers in the big peer organization had never been benchmarked or measured before or even told what are the key performance indicators (KPIs) that matter. Once this information was communicated and they were shown their current performance levels, way below the minimums, they rallied and worked to be the best. We put in place a gamification and rewards strategy and within a couple of years the culture changed, from "good enough" to "security first and it's never good enough".

My client executive who created the spark was hailed as an innovator. The peer organization embraced the change and created entire programs around the KPIs.

Some of the hills in front of us represent opportunities to create change and are worth risking everything to do what's right, and it takes selfless leadership to be the initial spark towards something bigger than ourselves.

#5 Build Your Brand

The average tenure of a CISO is 24-48 months according to a recent Coalfire report. The majority of CISOs I have in my network mostly stay in their foxhole...and don't make many public appearances. When it comes time to pitch a tent elsewhere I have witnessed some of the best ones struggle to find the next gig. Such high level jobs aren't easily filled quickly and the time takes what it takes, however for other CISOs who have made an effort to build their brand as a known quantity in the market, they seem to land new opportunities faster.

One CISO in particular has an amazing personality and is a regular on podcasts as a guest but IMHO her superpower is being the host of a podcast which she has done on occasion. Her podcast is interviewing other CISOs and the interviews are super juicy because you feel like a fly on the wall to a private conversation between two Titans of cyber security and you learn a ton! I will bet dollars to donuts that when she's ready to "pop smoke" and leave her current post the offers will come in hard and fast because she is a well known quantity. She took the time to put herself out there, be vulnerable and let people get to know her through publications and interviews.

I totally get that everyone is too busy and we're all connected to the grid 24/7 and it makes me sad :"-( that we've lost an important element to our careers which is true networking. LinkedIn allows us to reach out to anyone but I can't remember the last time I connected with someone who actually wanted to "connect" and have a conversation. It feels more like playing a video game where the one with the most number of connections wins the high score slot with their initials R_A_C (my initials) on Galaga!

It's great that you're a master of your craft but for longevity and career health, make a concerted effort to get out, network and for the love of donuts have some fun interacting with peers, vendors, thought leaders, write a blog, start a podcast or better yet connect with someone on LinkedIn and offer to have an intro chat to actually build your network and invest in you. Your future self, next employer, colleagues and family thanks you in advance.

#My Ask of You

• Take a moment and make sure you have the right partners inside your tent.
• Ask yourself how are you pushing the limits of incorporating innovation into your strategy.
• How can you be a more effective heat shield for your team?
• Is there currently a fight worth picking and the source of your passion and represents something bigger than you that will fundamentally change your company's security posture?
• Ask your self, "what is my current brand externally to my company?" "How do I want others to view my expertise and contribution to the greater security community?" "How can I help someone within the security community be better and give back via networking?"

Would love for you "the reader" to chime in on your thoughts and I invite conversation around these topics. Thank you for reading!

-RC