What type of CISO are you?
Gary Hayslip
CISO @ SoftBank Investment Advisers | Board Director | Investor | Author | Hacker | Veteran | Servant Leader | Father
“Excuse me, can you tell me what it’s like to be a CISO”? I get asked this question quite a lot from people who are interested in the cybersecurity field and who hope to fill a CISO role someday. It’s funny, but you would think by now I would have a set answer to that question, but truthfully the answer continues to change over time. As I have previously mentioned in other articles and keynote speeches, the CISO role is currently maturing at an accelerated pace due to more companies than ever hiring their first CISO. Couple this new growth with the fact that current CISOs actually go through a career life-cycle in how they approach and accomplish their jobs.
I have always viewed the CISO role as a multi-stage life-cycle. One that a security professional moves through at their own pace depending on their soft skills, experience, education, certifications, and professional networks. I tend to view this as a six-stage process, and I know many CISOs who are comfortable in one stage or another and make their whole career at that level without moving on. Understand there is no reason for a CISO to progress from one level to the next unless they want. I thought it might be interesting to describe these stages to educate new security professionals that even when you reach CISO, there is still more growth opportunities available for you.
- Level 1 - “Just Starting” – this is a new Security Director or CISO who is learning the job. They have experience from being a network/security architect and may have led some teams, but it's on them now. The organization's security program rests on their shoulders, and they have to build and manage their first teams. For those of you in this level of the CISO life-cycle don’t panic! Honestly, problems will work themselves out, and some of the best decisions you can make at this level are to begin building your professional network. Find a close group of peers that you can talk to as you work out issues and find a mentor who can give you the depth and context to understand how your program fits in your organization and how you can evangelize its value.
- Level 2 - “I Got This” – I remember feeling this way after I had been a CISO for several years. At this stage in the life-cycle, you have been a CISO for a while, and you are comfortable with the position. You have learned to write policies and build a security program. You are familiar with risk frameworks, security controls and you actually understand your budget. Some key things to remember don’t get complacent. Continue to grow your professional network and educate yourself on technology and business. It is at this stage I see many CISOs seek to earn their master's degree and I see many start to write, blog, and give speeches on cybersecurity. I am all for this involvement in the community; we need people to give back so start early in your career and make it a habit.
- Level 3 - “To the Rescue” – CISOs at this level have gained experience serving different companies over time. They enjoy coming in and building a new security program or cleaning up after a data breach. I have known many CISOs who like being at this level because they love the challenge in building a security program and training security teams. Of course, once everything is up and running, they are ready to turn it over and look for the next challenge. There is nothing wrong with this; I view them as an architect who has come in and built a fantastic house and its now time to move on to the next project. What is important here for those CISOs who like working at this level is please remember to leave the security program ready for your replacement, minimal disruption to the business is critical here.
- Level 4 - “It’s All Good” – CISOs at this level in the life cycle are senior with diverse experience. They have been in the role for over a decade or more and are not interested in building security programs from scratch unless they have to. They have done that, have the battle scars and would instead enjoy maturing an ongoing security program and mentoring the organization's security teams. They are happy to come into a business with a security program already in place, make some slight adjustments to fit their strategic view and then enjoy the ride. I have known CISOs in this level of the life-cycle who have been at the organization for 10+ years, and they have the security program dialed in the way they want, and it’s all good. My concern here and one I voice quite often is the field of cybersecurity is not static, and as a CISO you should prepare for change and continuous improvement. Don’t get complacent!
- Level 5 - “CISO Whisperer” – this interesting stage is one where a senior level CISO doesn’t want to deal with the rat race and corporate politics of fighting to build and maintain a security program. However, they still want to stay active in cybersecurity, so they have taken a job that allows them to come in and advise organizations or mentor fellow CISOs. I have known numerous security professionals who needed to take a break but still want to stay active in our field. In this stage, they can mentor CISOs who are building security programs, and they get a full nights sleep without the 2 AM phone calls.
- Level 6 – “I’m Not Finished Yet” – this final stage is one that I believe many CISOs aspire to reach as they come to the end of their careers. This is the stage of indepth community involvement. It is where CISOs serve on boards, teach in colleges and universities and mentor because they now are semi-retired/retired but still want to stay engaged with the cyber community. As more universities start cyber related programs and businesses accept CISOs as advisory or full board members I hope to see many of my peers stay at this level for a very long time. I believe it will not only benefit the cyber community but bring strategic value to the business community as well.
In closing, I want to state that CISOs move in and out of the various life-cycle levels. These levels are not set in stone, in fact, they are incredibly flexible which is why this role is so dynamic. I have known CISOs who were happy to work for an organization, and they were at level four for years. Then a fantastic opportunity presented itself, and they quickly jumped back into level two/level three role. What is important is that just like cybersecurity, the CISO role is not static. Those of us who have the privilege to serve in this position adjust to our business needs, our family needs, or our community needs. I hope you have enjoyed this quick article. For those CISOs reading this now which type of CISO are you?
***In addition to having the privilege of serving as Vice President and Chief Information Security Officer for Webroot Inc., I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2. For those of you that have asked, both are now available in print and e-book on Amazon, and I hope they help you and your security program excel, enjoy!
B2B Marketing Strategy | Digital Marketing | Social Selling | Business Development | Author | Blogger
6 年Nice blog. With all the transitions in cybersecurity and big data analytics do you see CISOs helping with digital transformation projects as well?
Great insights Gary, thanks for sharing. ?Level 6 is a fantastic addition
Chief Information Security Officer and Technology Risk Officer at Scotiabank US
6 年I am a 3 looking to be a 6 next.
konzultace a ?kolení v oblasti informa?ní a kybernetické bezpe?nosti a ?ízení informa?ních rizik
6 年It seems you know a lot about CISO. I am looking for some serious study/research regarding CISO position in organization hierarchy. To whom should CISO report, to CIO, CEO, CRO or BoD? It seems there is a trend to report to CEO or BoD not to CIO. What are Pros and Cons?
CISO (Chief Information Security Officer) at Larsen & Toubro Group of companies
6 年Excellent read !!