A Tip for Up-and-Coming CISO’s

As Chief Information Security Officers, we all search for that special blend of attributes that make up a high performing cyber security program. And for the most part, we all have access to the same resources in many areas.

For example, so many professionals have devoted their careers to selling security technologies, and while they excel in tailoring the right solution(s) for my needs and building a strong relationship with me, I understand that they’ll sell to any CISO who has the need, the funding, and willingness to purchase. They are not selling to one of us and not the others. When it comes to technology, we CISO’s are on a level playing field.

When it comes to policy and processes, we again find ourselves equal. We each can go to a research firm for guidance, or perhaps leverage common templates, or even reference one or more popular frameworks to develop our administrative controls. No CISO has an edge in this area either.

The true differentiator in a security program lies in its people.

It has been my privilege to staff and lead hundreds of security professionals in my career thus far. In my mind’s eye I can see each one of their faces - the memories of the innovative things they have contributed to the program come to mind and reinforce my belief that without a high performing team, a cyber security program is doomed at the start.

As they perform, each one constantly evolves and grows. They apply empirical knowledge to a task in order to complete the mission, learning more each time they accomplish a task. And I’m not talking about AI or machine learning, I’m still referencing the people on the team. There is a scene in the movie IronMan where a senior military officer, speaking to a small group of junior officers, says:

“The future of air combat, is it manned or unmanned? In my experience, no unmanned aerial vehicle will ever trump a pilot’s instinct, insight, (that ability to look into a situation beyond the obvious and discern its outcome) or a pilot’s judgement.”

Aside from the skills each one brings to the team, there is something to be said of the relationships we build amongst ourselves. These memories serve to help us rely on one another, learn from each other, and build relationships along the way. I have wonderful memories of sitting with colleagues in a restaurant, laughing and enjoying each other’s company. Or the time at a golf outing when his drive went 300 yards and the very next shot, he sliced the ball 10 feet into the woods. We laughed so hard, didn’t we? Or that time when she, with no bowling experience, rolled a turkey in her first game. Or the hockey games we attended together as a team. Times like these solidify relationships. I’m not minimizing the importance of technology; it is crucial in our work. But you know, I’ve never heard anyone in my career say, “Oh my gosh, remember that time she logged into the endpoint protection platform and did a search for that IP address, and it provided all of those results? That was so awesome!”

It really does come down to people - that is the secret sauce in a corporation’s cyber security program. We obviously want candidates with extraordinary security skills, but I have found success in a hybrid model. I seed the team with a few folks who have extensive cyber security experience, and add several people who have strong technology skills, but perhaps not a deep cyber security background. They mentor one another, train one another, and I supplement it with providing them access to formal training opportunities. I have found in doing so, my team is more creative, diverse, and willing to expand their boundaries.

I look for security candidates that have two key behaviors: 1.) curiosity; looking at all the unintended uses of a particular capability, and 2.) passion. This attribute cannot be understated, and I have found that those with a passion to learn and grow, make for the best cyber security professionals. But that could be applied to anything, couldn’t it?

I know what a few of my colleagues are thinking: Lee, this sounds good, but the problem is when you train them into experienced cyber professionals, they’ll take those skills somewhere else. My answer to this has always been: not if you treat them right. You pay them a good salary, provide quality benefits, give them challenging work, and create an environment in which they can have fun and learn – why would they want to go anywhere else? Just as technology and processes need constant care, so do our teams of security professionals. It is our privilege as leaders to support our teams through strong performance management, career development, and raising their engagement. This is our primary focus.

The high-performing security programs are won by those CISO’s who focus on the people. One can build strong relationships and dive into the details of performance management/recognition, (without micromanaging) or one can merely preside over an organization.

Which one will you be?

?

?