Why Do CISOs Enjoy Serving In Their Position?
Gary Hayslip
CISO @ SoftBank Investment Advisers | Board Director | Investor | Author | Hacker | Veteran | Servant Leader | Father
****Original article was published on June 26th 2019 in Forbes Magazines Technology Council Community Voice.
As I continue my search for my next role, I'm often asked why I would want another chief information security officer (CISO) job. Recently, that question led to some deep reflection about why I like being a CISO and why this job is important to me.
Today, the CISO role is fast-moving, with no set definition of job requirements or career growth. In fact, the average CISO tenure is estimated to be about 2.5 years whereas the tenure for a CIO is almost double that at 4.3 years. Couple this short job tenure with the fact that this new executive role seems to be employed differently in each company that hires a security executive — and the fact that it is often placed under heavy scrutiny when there is a security incident — and it becomes clear the job of CISO seems to have a lot of issues.
Even with these negative aspects in mind, I brainstormed with peers and compiled many reasons why we find our role in and the field of cybersecurity fascinating. I was able to boil the essence of many of these reasons down to five main points.
Business owners, take heed; these are the reasons why your CISOs come to work every day and why they find passion in their roles. Armed with this knowledge, you can better shape this position so your CISO and your business are better for it in the long run.
1. We are curious about technology.
Many CISOs are curious about technology, both legacy and new, and how it works. Better yet, many of us are interested in how to hack it and make it do unplanned things — or how it could be hacked and used against our organizations. This curiosity helps us when we are troubleshooting issues within our security stack or triaging a security breach.
2. We like working with technology and people to solve problems.
This trait ties into our innate curiosity for technology. Many CISOs like to look at projects, risks or security controls and think of innovative ways to achieve their goals. It's like we're putting together a living puzzle that involves technology, people and policy — and we enjoy the challenge. We like our role because it's where the action is, we get to collaborate with peers throughout the business and we help get things done securely.
3. A CISO's job is exciting to work.
The field of cybersecurity itself is dynamic, so keeping educated on new threats, technologies, regulations, and compliance frameworks can be quite challenging for CISOs. However, many of us CISOs like that our chosen career field and job role is an ever-present test, requiring continuous education to be effective. It's not boring, and, at times, it's scary — but it’s pretty cool.
4. We need a sense of purpose.
Out of the five traits I've discussed in this article, our sense of purpose tends to motivate CISOs to either be exceptional or to leave organizations. The job of a CISO is very stressful; however, many CISOs accept the stress and the challenges of their position because they feel they and their security teams are making a difference.
This is a wakeup call for many organizations that are just hiring a CISO for the sake of it — having a warm body in that position is not enough. As an executive leadership team, you must provide adequate resources and give your CISO the ability to manage risk and help the business be successful. CISOs know when they are just there to be a speed bump for the next breach. Having a sense of purpose and the ability to execute that vision is compelling, and it is one motivating factor I know CISOs look for because it makes all of the hard work we do worthwhile.
5. We love managing evolving risks.
I find this final point particularly exciting because it goes beyond the ebb and flow of changing technologies. Many CISOs like working in their positions because, as part of their company’s executive team, they are given a chance to review new operations, projects and opportunities — and their document risk. Not only do they get to note the risks facing their organization, but they are also expected to be a key player in how these risks will be mitigated. I am one of those CISOs who finds managing risk fascinating. Managing risk to me is like that living puzzle, and as a technology and security executive, a CISO has the opportunity to work with their peers within the business and architect the company’s response to its exposure.
How can you create an optimal environment for a CISO?
The list above is not inclusive of all the possible reasons why a CISO enjoys and serves in their position, and I am sure this will change over time as the position continues to mature and is accepted in C-suites and boardrooms. With that said, it's important for executives to understand why people work in this role — so they can position them and the company for success. CEOs, owners, and executive leaders alike, if you have a CISO on your staff — or are looking to fill such a role — keep these tips in mind:
? CISOs don’t own security incidents, they manage them.
? CISOs need access to all business units for success.
? When CISOs understand the business, they’re effective, so please mentor them.
? CISOs need to collaborate with their peers, so don’t isolate them.
? All technology decisions have risk, and CISOs need to be involved in those decisions
In closing, I'd like to come back to the question I posed at the beginning of this article: Why I want another CISO role? I enjoy having a sense of purpose and leading teams toward a specific goal. That focus — and the opportunity to be part of a leadership team — is quickly becoming a recurring requirement for today's modern security executive. With this in mind, how will your business optimize its practices for the sake of your CISOs success?
***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2. For those of you that have asked, both are now available in print and e-book on Amazon, and I hope they help you and your security program excel, enjoy!
Cyber Security Practitioner | CISSP, CISM, CCSP
3 年Nailed it!
Information Security Governance, Cyber Risk, and Regulatory Compliance Leader | Managing The Evolving Cyber Threat Landscape
5 年Excellent perspective.? Ultimately managing information security is all about managing risks - point #5.? The issue with many business executives and the topic of managing cyber and compliance risks, is that it is often misunderstood and minimized.? Many organizations still confuse managing technology risk, the CISO role, with the role of managing the implementation and operation of information technology, the CIO role.? Hopefully the role of CISOs within organizations will change as our profession migrates from a reactive role to a proactive role.
Gary, once again, thanks for sharing your insights! I never really took the time to analyze my short tenure in the CISO role; however, I think you have touched on many points I agree with. Working in the public sector for my entire career, and ending up in that role at the end, my main motivation was to find secure solutions for city employees to do their jobs effectively and efficiently in serving the public. I enjoyed working with and educating both management (administrative branch) and elected officials (legislative branch) in how to use technology as a business enabler and still protect sensitive information. I also enjoyed having great teams to work with - both the centralized staff who reported to me, and also the departmental IT staff - working together to eliminate (avoid) the silo mentality. Wishing you the best in seeking and finding your next position.
Enabling Customers on Information Security & Manageability Solutions | Oracle
5 年Thanks for sharing!! Very informative.
Founding Principal at Ascension Security Partners
5 年YES! ?Great assessment and perspective Gary.