CISO Transition
Congratulations! You have started your journey toward your definition of post-CISO professional fulfillment. My parents called this phase, “retirement”, but they meant that you stop work as a professional and enjoy personal activities for the remainder of your life. It’s what their parents taught them and it’s generally what they applied to their lives. Nothing wrong with this definition except that it doesn’t really fit with our generation’s perspective on living and working for fulfillment. We are living longer than our parent’s generation just like our kids will also live longer than our generation.
?
We have an opportunity to define retirement as a new phase of our professional career where we apply a different filter to the professional opportunities and choices that we make. I’ll share my filter that I’ve used for the past five years, but keep in mind it is simply an example of what is important for me. You need to come up with your own filter/criteria for work opportunities. This is mine:
?
1.??????? I will only choose to work with people that I like/admire for who they are
2.??????? I will only do the kind of work that I like to do
3.??????? I will only work when I want to work
?
I’ll provide a little more context for my work selection criterion. I spent most of my career working in large organizations. Large organizations, over 75,000 employees, typically attract and develop professional top talent. Sometimes that top talent includes talented professionals that have flaws in character resulting in business decisions that could hurt other employees while giving them personal reward. We all have flaws, but these types of flaws poison the work environment and impact others negatively. The simple description [profane] is that I chose to avoid working with assholes. I point this out as a way for me to avoid working with this type of person based on the choices I make.
?
I am often asked to do consulting work for enterprises/leaders interested in improving their cyber security capabilities. The objective is admirable, but I’ve learned that consulting engagements often result in a higher probability of exposure to people with character flaws. In addition, the actual work involves solving problems that I’ve solved many times before but this time doing it for another CISO and leadership team. I’ve learned the hard way that consulting gigs generally have time constraints and limitations forcing short term trade-off decisions. Longer term and systemic solutions are less attractive to leaders that hire consultants and require greater justification. Despite the ample opportunities to pursue consulting gigs, I’ve chosen not to do consulting.
?
I’ve been asked many times to act as an expert witness in litigation testimony for cyber specific court cases. Every time that I’ve taken on this type of work, I have been disappointed with the outcome. I chose to be an expert witness for the lawyers representing Joe Sullivan in the DOJ’s criminal conviction for his tenure at Uber. Joe’s legal team entered the case based on the assumption that they would prevail in court and Joe would be exonerated. I’ve been friends with Joe for over a decade and I know firsthand of his commitment to leadership development for CISOs and his desire to aim higher. This assignment was attractive to me for those reasons. Unfortunately, Joe’s original attorney’s perception of the likelihood of their success in the courtroom clouded their choices of preparation activities. They chose to go to trial without the benefit of expert witnesses who understand what CISOs do. I spent hundreds of hours reading all of the documents in evidence and preparing material that was never used for many weeks giving this activity high priority (for Joe) to no avail. I have another experience working in trial preparation that offers limited rewards so I’m likely to avoid this kind of work in the future.
领英推荐
?
I choose to mentor cyber security professionals (practitioners, sales professionals and product management resources) both highly experienced and early in career. I have about 80 on my current list with about 15 of them being current CISOs. This is rewarding and fulfilling for me since much of what I learned as a CISO has not been documented anywhere as a potential resource. I made a boatload of mistakes in my career that others will now benefit from through mentoring. I never take any form of compensation for my time mentoring others. I simply offer them the opportunity to schedule time with me through my Calendly link. This is how I control when I work. I can say yes to every request for my time and encourage them to schedule it through the link. In the interim, I go through my calendar availability in Calendly and block the time that I need for living life and offer time slots that give me the necessary balance (3 days a week, 11-5). I let my stakeholders know that I will make myself available Mondays and Fridays if necessary. This gives me time to create documents (like this one) or prepare presentations or write white papers that need more concentrated time. I also block time in Calendly for days off to travel with Ellen or go to the beach and read a book. I get my exercise time and pickleball in the mornings.
?
The same is true for my advisory work. I meet with new, early-stage cybersecurity companies every week. I ask them what problem they are attempting to solve and how I can help them with product development, or go-to-market messaging, or opening doors for them through my relationships. Most of the time I choose not to enter a formal advisory role with these early-stage companies. Often it is due to a potential conflict of interest with one of my existing advisor relationships, or I lack confidence in the execution expertise, or the potential product is in an area that I lack interest in. I’ve been meeting with these early-stage companies for decades as a CISO. I always learned something of value related to innovation in cyber security controls and once in while found a great product that delivered significant value to the enterprise. I maintain a list of potential advisors, people like you, that I share with the early-stage companies so they can find the advisory help they seek.
?
These are the three things that I use as my filter for selecting work opportunities that offer me fulfillment. I’ve learned that the filter of an active CISO protecting an enterprise 24x7x365 is dominant and has a significant impact on life choices. I have no regrets for my time as an active CISO and I’m grateful for the opportunities I’ve had and the people that I’ve had the pleasure to work with. I now get to do work activities that are fulfilling and focused on helping others succeed.
While I was an active CISO I had the opportunity to work with the NYU Tandon School of Engineering to develop curriculums in data science and cybersecurity. This gave me an opportunity to document the things that I was taught in cyber security practices that are not necessarily written down anywhere else. I created a course for teaching cybersecurity professionals how to be a successful CISO that harvested all my learnings in an on-line curriculum taught by one of my mentors, Ed Amoroso along with Sanjay Gupta. Every semester another 40 or so professionals achieve their certificate from this program adding top talent to the marketplace better equipped to take on the growing challenges in cyber security.
?
Now it is time for you to decide what is important for you as you enter the next chapter of your professional career. Set aside some time to think through what type of work provides you with the most fulfillment. Don’t worry about how to generate opportunities for your choice of work right now, simply focus on what the characteristics of fulfilling work for you. As you consider this you will have an opportunity to refine your thoughts so that it evolves into your filter for evaluating work opportunities. Once you have a good idea of what kind of work is meaningful for you, we can work together to create an approach that brings opportunities to you.
?
I can say with certainty that when you have a filter in place, the work you choose to do really doesn’t feel like work anymore…it’s much closer to rewarding activities. I wish you success in creating your CISO transition.
?
Being a cyber defender who feels a consistent sense of reward is always about one goal, undermining criminality. The pretend C suite title the industry hands out like candy only poisons the joy of being an individual contributor. Your point of a filter is one everyone should learn early.
Great perspective Jim Routh! I look forward to continuing our collaboration and for your feedback on our strategic product direction. It is important as a leader to ask the tough questions and to have experience on the other side with honest and insightful answers.
Strategic Advisor / Mentor / Thought Leader. Deep Passion for People and Technology. Championing a Safer Digital World. Pragmatic, Positive and Effective Approach. Former CSO at Swift. Embracing Life with Enthusiasm.
2 个月Great insights shared in such a human and relatable way! I remember a conversation with my mentor who once told me he didn’t believe in “work-life balance.” At first, I was ready to reconsider the relationship, but then he clarified—what he meant was work-life / private-life balance. It struck me deeply: everything we do is part of our life. As someone who strives to live by the motto Carpe Diem, I know it’s not always easy to embody that every day, and it still isn’t. It’s inspiring to see so many people reflecting on similar moments in their lives here. Wishing you all the best on your journeys!
Corporate Director Cybersecurity
2 个月Well said Jim Routh - I couldn’t agree more and thanks for sharing this with us ??????
vCISO | Global IT Director | Innovative IT Leader | Keynote Speaker | Executive Board Member | GCC Auditing | Cyber Security
2 个月Love this perspective! As a recently retired individual, I have pondered, decided and redecided what my new life should be. It is an adventure to say the least.