A CISO's Discussion on Leadership and More

**Note: This article is due to a podcast that was published 3/18/2021. Please listen to it first before reading this article, it will provide context. The podcast is available at https://hackervalley.com/cyberranch/developing-leadership-w-gary-hayslip/ and wherever fine podcasts are distributed.”

Several weeks ago, a close friend, peer, and podcaster extraordinaire Allan Alford contacted me to be on his podcast, "The Cyber Ranch." I was genuinely excited to be a part of his new endeavor with Hacker Valley Studios, especially when we decided the topic would be about "Growing Leadership as a CISO." To make the podcast even more memorable, we decided to ask our community to provide the questions we would use in our discussion.

Unfortunately, as many of you know, podcasts last for only a limited block of time. Of the nineteen questions provided through LinkedIn from our community, we only had time for seven of them. However, after we completed the podcast, I felt the topic should be thoroughly discussed, so I proposed to Allan that I write this article and answer all of the questions provided by many of you. I am truly humbled at this opportunity to give some insight into how CISOs lead, and I hope you enjoy the article and look forward to your feedback. Please note as you read this article I have only included the names of those question providers who specifically stated we could quote them, I felt it was important to follow our agreement with you – thank you, and enjoy the read!

Questions

1.     With the rapid pace of digital transformation, how does he maintain his technical depth/awareness to lead his teams while juggling the CISO role's demands, aligned with the business and executive focus? – Chris Hughes

a.     Thank you for the question, Chris. I spend a lot of my time as a security professional reading, speaking with peers, researching topics I find interesting, and talking with startups. Also, as cyber due diligence for new investments is part of my role, I get the chance to see some pretty cutting-edge technologies. I am a firm advocate of continuous education. I am always working on a class, certification, or book to learn something different. Several things I have completed or I am currently working on are:

·  Completed Harvard Cert Course on Risk Management

·  Currently enjoying Cloud Guru's AWS Certification Track

·  Reading "The Age of Surveillance Capitalism" by Shoshana Zuboff

·  I am writing my 4th book with coauthors Renee Small and Chris Foulon, which I hope will be published this May.

I am one of those CISOs whose minds can't sit still. I love our community, and I am utterly fascinated with technology. I am not afraid to say I don't know something, and I am willing to spend the time to research, ask questions, and educate myself. 

2.     Are you concerned that you would end up training someone beyond their role and lose them as a result? - Travis Howard

a.     Thank you for the question, Travis, and the answer would be "No". I would be more concerned about having underachievers than over performers. I am realistic; the people on my team I have the honor of mentoring and leading them for a specific point in time as they move down their career path. I will try and mentor them in both the soft skills and technical skills I need them to learn for their current job and prepare them for the future. I know people will eventually leave me, and I am ok with that as I have had people on my teams who have been with me through several employers'. Plus, I have had the honor to see people I have trained and mentor take their first director roles on the path to someday leading security programs as CISOs. So no, I view team members eventually leaving as part of their professional career lifecycle. Obviously, I wouldn't want to lose everyone all at once J. That is where team management comes into play, and you, as a mentor, will know when a team member has matured and reached a leveling point where it's time for them to move on.   

3.     What changed on the "coaching" part when we can't do face to face meeting with the team – Evgeniy Kharam

a.     Thank you, Evgeniy, for your question, and I believe it's one many are asking as they try to lead teams remotely for their first time. A big part of coaching and leading a security program is building trust and working closely together to achieve the team and business goals. When everything went remote, it just meant I have to work harder. I need to do more 1:1's. I need to know how my team members and their families are doing. When we do our 1:1's, it is now more about the relationship, ensuring they are managing the stress, ensuring we still have the trust in the teams. Sometimes we do a zoom, and we all are on together, but each of us is working on different things. So we are sitting in a zoom room together, video off but just chatting to each other as we work. It provides a sense of closeness as you work and you can talk to each other, almost like being back in the office and seeing each other. Because of how things have changed, I am looking for ways to bring us together and strengthen our trust in each other.

4.     How do you empower your team to help take one piece of your strategy?

a.     Thank you, for asking this question and my answer is a focus on strategy. My strategy is a continuous 36-month plan of projects, initiatives, policies, etc. We continuously review based on the risk baseline we are using and the audits we have lined up on the calendar. Each team member is the SME for several technologies in the stack and a backup for several others. So they own those technologies, are responsible for the runbooks, and have vendors report to them. I give them the responsibility to own pieces of the stack and our overall strategy for protecting the organization. Then quarterly, we review all current projects, and annually we reassess the whole plan to see what needs to be adjusted. Again, team members help with the assessment, and if there are any changes, I let them step up to help manage them. They need this experience, so eventually, if they want to get into leadership and run security teams and be a CISO, it all starts with owning something and being accountable for it.

5.     How do you promote engagement and work-life integration of your security team during today's work constraints (i.e., predominately remote)?

a.     This question is crucial for me because the cybersecurity field was already burning out many in our community before the pandemic flipped the table on everything. Now what I am watching for is making sure people aren't working ridiculous hours, that they take breaks, that they actually disconnect when they go on vacation. I spend time asking about their families, and I freely give time for family issues and events. It's imperative to promote self-care right now and give people the space to manage stress. It's too easy with remote work to put in 10, 12, 14 hour days because you are always on and connected – that doesn't make it right, and I don't want to lose my people, so I am encouraging breaks, vacations, or just half days to take care of themselves.

6.     Are you intentional about culture development, and if so, what elements about culture are non-negotiable, and what do you do to develop that culture? – Lee Ostrowski

a.     Excellent question Lee and the answer is - Yes, I am very strategic in building my teams, and there are soft skills I look for in developing a healthy team culture. I don't abide people lying, I don't abide people not taking responsibility, and finally push to find people who can work comfortably in teams at a fast pace and don't mind continuous change. I like to build communities where we can trust each other to get things done, learn from each other, and you have the freedom to hold each other accountable.

7.     Do you provide leadership development and training for all members of your team or just management? – Lee Ostrowski

a.     The answer to your question Lee is I provide it for all members; obviously, what I provide is different for each person because some people are on different levels of maturity. Typically when we are setting goals for the year, we choose a technical goal that is team/business-related, a soft skills goal focused on professional growth, and a continuing education goal such as a cert, class, or conference. Training is one of the first things I ask about when I am getting resources for my program. Typically I try to get as much as I can from vendors that my teams can use to improve themselves. I also watch for 3rd party professional development events offered by local schools or professional organizations like ISSA, ISACA, Infragard, etc., and I encourage team members to attend them. I try to cover both technical and soft skills to help my team members be more well-rounded, and I hope they develop a broader view of our community and its opportunities.

8.     Build or buy talent? What do you prefer? Lower cost (initially) Raw talent that can be molded as you like but will take longer to see a return on value OR more expensive seasoned pros that are semi-set in their ways? – Jerich Beason

a.     Good question, Jerich, and my response would be I would do both. In building and leading security teams, you have to balance the number of senior engineers and architects you need with junior personnel. The way you have to do this is to understand the services you are providing the business and understand any changes coming to the company you may need to support. I bring this up because, as a CISO, the security program you build, manage, and lead is solely focused on protecting your company and its critical assets. This targeted view helps you as the CISO identify business operations and compliance-related data that will need to be protected. This knowledge is what I use to determine the level of resources and experienced personnel I will require to field a mature security program. Most of my teams have been about 60/40, that is, senior professional to junior professional. I typically don't take on more junior staff because most security teams' operation tempo doesn't allow a lot of time for training. So with more senior-level team members, I can assign junior personnel to them for mentorship without adversely impacting operations.    

9.     How do you challenge your team to continue their educational journey and grow their talents? - Travis Howard

a.     Thank you, Travis, for the question, and honestly, the answer is by personal example. Plus, I also introduce them to friends and peers in my network so they may see continuous education is something many in our community commit to for professional growth. I think it's vital for my teams to see many positive role models of security leaders in our community who continuously educate themselves and provide content to teach and mentor others.

10.  How do you balance training time with operational needs, including spending resources and time on team-based training vs. individual? - Travis Howard

a.     Operational needs overrule everything else; without the business, there are no resources and funding for individual or team-based training. It's essential from my perspective that first, the security program must be balanced and that it can provide mature services to the company. Once the security program is at that level, I feel we have breathing room to add various levels of training for the security teams. As a CISO, I first start looking at vendor-based training so staff can improve their knowledge of technologies in the security stack. I usually add this training to my purchase of the technology from the vendor. I also look at online training from various website portals that my teams could take to broaden their security knowledge. Once I have both of these in place with minimal impact on any services the team provides, I then start planning to request funding for senior team members to attend one conference each. The point here is this is a process you build-out over time as the team matures and the business trusts you can deliver and protect its operations. 

11.  When the team encounters an issue, how do you approach it to ensure there is an understanding of the issue while building trust at the same time? 

a.     The answer to that question is we approach it together as a team. Obviously, some types of issues would have to be kept private, and HR would need to be involved. However, most issues security teams face are related to operations, maintenance, incidents, and projects. Those types of problems we will meet them and work on them together. Now I am not na?ve that works every time; I have plenty of experience in team dynamics to know how team members can get on each other's nerves. However, I feel it's vital that when there are problems as a team, we face them and own the issue. Then we break down the problem into components to address how we should work on it until resolution. Sometimes, this may require that I move people within teams due to the issue and how current team members aren't progressing. I have also reached out to other business units and brought in their staff to collaborate on problems. I felt my team was missing context in a situation, and another set of eyes would help us focus. The core points I want to make are addressing the problem as a team and never turning down assistance because what's important is we learn from the experience by working together. 

12.  How do you advance a security program to protect an organization from the known unknowns? – Steven Solomon

a.     Thank you Steven and my answer is - resilience, resilience, and more resilience. Accept the fact you will have an incident, so besides your normal daily operations, what changes are you making in your architecture, procedures, training, etc., that will help you when it's a bad day? Much of this can be accomplished by using a framework to methodically manage your cyber hygiene and work hard to get the basics done right, continuously. Then, review your current procedures and processes for monitoring and managing incidents until you drive that so its muscle memory and the team respond efficiently. Then on top of that, start over again, reassess the stack, the program, current business operations, and look for not only gaps but areas where resiliency can be integrated into the program. The goal is not to be 100% secure, which we all know is a fallacy, but to withstand an incident with minimal impact on the business and then learn from the incident's result and start again.  

13.  How do you keep an appreciable balance between the security and efficiency of the systems?

a.     The answer to this question is all about measurement and testing. The first part - measurement, is focused on the daily operations and monitoring of your controls. Do you review them periodically and understand what service you are delivering, and are they providing anything of value to the business? This is about the framework assessment that I have completed and the current controls I have in place to reduce risk. I am measuring over time and provide weekly reports not just on what we are blocking but also on what is currently patched, what is presently being investigated, and any recently closed incidents. We also track support tickets associated with helping the teams that provide revenue and have SLA's we follow on response & service times. So the next part, testing, is all about the internal and external testing and verifying all of the resources and controls we have in place have reduced the organization's threats without interfering with business operations.   

14.  What are the experiences where compliance doesn't fit with engineering goals, and how are they helping the compliance world catch up to customer security demands?

a.     This is one question I am continually asked because I find security professionals time and again are tasked to assist with compliance initiatives where engineering is tasked with revenue/business initiatives – guess which one wins? Compliance from the beginning is about following a policy or some regulatory framework composed of a list of yes/no statements. Engineering is about following a framework designed to be nimble; it is intended to be stopped, changed, shifted, and then restarted. Every time I have had compliance and engineering clash in my career, it was because compliance was focused on a governance or audit issue in front of them. In contrast, engineering was focused on a business issue that would impact customers, new initiatives, or current business operations. Both were disparate processes, and the only way we were able to make progress was both teams had to sit down with each other. This process meant security/compliance team members attending agile stand-ups to see what the dev teams were working on in their sprints. It also meant security/compliance team members traveling to different offices and conducting brown bag training lunches with dev team members to answer their questions and give them visibility into why specific changes were needed and how earning certifications like ISO 27001 or SOC2 would benefit the business. In the end, it was all about building trust. Once the teams got to know each other, were briefed on what each other was working on, and saw the business's benefit, it became easier to get things done. With that said, to build that trust, you must be willing to accept you might be wrong, be ready to collaborate and learn new things, and finally, for it all to have a lasting effect, you must have executive support.

15.  How do you promote within your team that you are "One IT" department versus "we are security, and you are operations" mindset? – Lee Ostrowski

a.     Lee, to me, that is pretty easy because have you ever seen a security stack exist on its own? That answer would be a "no" because security and IT stacks are intertwined. For the longest time, I argued that IT and Cybersecurity should be separated, and I am now finding more companies are splitting the CIO and CISO, but they still have to work together. Both of their team need each other for change management. Both teams need each other for vulnerability/patch management. I continually find that both teams need to be part of each other's projects. Both are required to support initiatives like standing up an AppSec team or implementing a large technology platform with many integration points. My current employer, IT and InfoSec, are shared services across multiple entities, and we operate as one team. I at times deputize people on the IT teams to help my team with projects. Honestly, I feel the more my team members learn about networks, cloud, and essential tech support, the better they are as security professionals.

16.  How was the process of writing the "CISO Desk Reference Guide"? What inspired you to write, and what were your "Aha" moments from your coauthors or growing as a communicator? – Yodi Solomon

a.     You have a couple of questions here, Yodi, but I am happy to answer them. The whole process of writing the first book in the CISO Desk Reference Guide series was unique because my coauthors nor I had ever written a book before. So we had no experience of what we were getting into when we started the process. When we started, I had written about 20+ articles, many of them for veterans explaining how to come into the cybersecurity field but nothing more significant than a couple of pages. We viewed writing this book as a project and mind mapped its contents – chapter by chapter, subject by subject, and then with this map, we proceeded to write one piece at a time. Once we started, we held regular meetings to hold each other accountable, and we set goals when we would have specific chapters completed and ready for editing. I found that I set aside an hour each day to write; sometimes, it was research for the chapter, periodically, it was reviewing what I had written the day before. Either way, it didn't matter; I just focused that hour every night and held myself accountable to get something completed. Since then, I have written over 100+ articles and published three books. I am currently finishing my fourth book using the same process, and I continue to write for the same reasons I published my first article, because I know I am helping people.

17.  How do you manage the balance of technical skills requirements and leadership/management responsibilities? What priority do you place on both to keep current?

a.     This question is about where you are at on your professional growth path. I find technical skill requirements fundamental early in your career, and as you grow and mature, professional soft skills and management skills become essential. Now comes the point, how do you balance them, and again it is based on your role and personal preference. I have known security leaders who once they reached a specific level where their position was focused on strategy and compliance; they would probably be 20/80 technical to leadership/management skills. On the other hand, I have known pretty senior-level CISOs who loved being technical, building security programs, working with startups, and weren't interested in doing senior-level management. They would probably be 70/30 technical skills to leadership/management. I try to keep it balanced in that I love technical, but I also find the strategic/business enablement side fascinating and enjoyable. So I do classes on both, I attend conferences on both, I keynote and write about both because I believe both are important as a security professional. It is vital to have both sets of skills matured and healthy because you never know when fate may provide you with a fantastic opportunity. I, for one, don't want to miss that opportunity.

18.  Would you rather build a team based on people that have the aptitude and no experience or people that are veterans?

a.     Obviously, I view the question as theoretical because no company would ever allow me to hire people with aptitude but no experience unless they were interns – but you do have some good points. As a hiring manager, I have a list in front of me showing my qualifications for a specific role that I need to fill. Sometimes, that role is critical, and the team sorely needs the experience, and I can't waive it. However, in junior and mid-level positions where I have some lee-way, I am willing to look beyond my list and consider things that demonstrate a passion for our fields like personal projects, CTF's, speaking at BSides or DefCon. One of the hardest things a CISO must do is find the right team members who culturally fit the team you have built and bring experience and knowledge that make the team better. So my answer would be as a CISO, I can't afford to hire someone without experience. Now I can be open to all types of knowledge & experience, but even as an intern, you have to bring something to the table to better the team.

19.  How to maintain connections with other CISOs and CTOs of companies?

a.     My answer here is to be active in our community. I have known security professionals who complain that they don't have mentors, nor do they have healthy professional networks. When I would talk to them, I typically found time, and again they were not involved in any professional organizations associated with security or IT. Nor did they attend conferences or even take courses at the local university. To maintain connections with other professionals in our field, you need to be active. People need to see you; whether it's going to a local meetup event on data science or attending a lunch event provided by your ISACA chapter, you need to get involved. I have been in cybersecurity and IT for 20 years; however, it wasn't until six years ago that I started writing and keynote speaking at conferences. These last six years of deciding to get involved, mentor people, create content, and be a part of our community has opened many doors, and it's why I tell people to stop sitting and watching. Our community needs diversity, and we are stronger for it.

In closing, I want to thank Hacker Valley Studios and Allan Alford for this opportunity, as I enjoyed the podcast and writing this article in response to our community's questions. I also want to thank all of you security professionals who took the time to submit a question. I felt many of you have problems you are trying to solve in your own security programs or have a career decision to make. Either way, I hope I have provided some insight to help you, and I look forward to everyone's feedback. With that, blessings to all of you and your families. I hope to see all of us again soon, attending a conference together where we can have a discussion like this over a nice cold beverage of our choice – be safe!