4 ways to boss the CISO role
Being a CISO is no easy task, so how do you ensure you stay on top of the job? Steve Mansfield-Devine talks to two tech leaders about how they approach the role
For Curtis Simpson, CISO at Armis, it’s important to take a holistic view, well beyond the specific concerns of the security function.
“My highest priority is always to stay on top of the key strategic priorities of the business and the impediments to achieving these priorities,” he explains. “This overall understanding must be established alongside an understanding of what business capabilities and systems are most important to the business.”
Once you truly understand what makes the business tick, it’s much easier to properly align your people and technical capabilities to those areas where, if they are attacked, could cause the most damaging disruption to the organisation, he says.
Achieving this level of understanding is not a one-time deal, however. The landscape is forever changing.
“It is important to stay current, especially as the threat landscape changes and expands,” says Devin Ertel, CISO at Menlo Security. “New threats are always emerging. Existing threats are evolving as well.”
The solutions to those threats are constantly developing too, but it’s important not to get too obsessed with chasing the latest shiny technology, says Simpson.
“It’s most important to understand how evolving technologies enable our ability to better address these priorities, not to understand all new technologies and terms being used in the larger security solution market,” he insists.
Communication is key
A crucial characteristic of the successful CISO is an ability to work and communicate with the rest of the business.
“Having a roadmap along with a plan is a must-have,” says Ertel. “This should be shared with the company along with regular updates. Let everyone know the plan and the need for it. Make it something everyone understands and supports. Let others become your advocates and have a sense of ownership in the success of keeping the company safe.”
Staying in control
It’s arguable that being a CISO is one of the most stressful jobs in the organisation. It is also frequently one of the most under-appreciated.
“The primary reason is that it’s relatively new when compared to the other C-level roles in the company,” says Simpson, “and when coupled with its perceived complexity and highly technical underpinnings, very few are completely aware of what it is and why it matters to the life and revenue of the company.”
This lack of understanding about what CISOs do and the benefits they bring to the organisation may persist even among other C-level executives, including CEOs and CIOs, to whom CISOs report. Some CIOs may even see the CISO as competition.
“Avoid seeing any of this as negative and avoid dwelling on these scenarios,” advises Simpson.
“Rather, seek any additionally desired fulfilment and appreciation outside of your organisation. Advise and coach other CISOs and even start-ups, based on your experience. These activities can truly highlight the value of what you’ve accomplished and learned and may even open your eyes to the next great opportunity.”
The message is that it’s not just the threats that shape how you act as a CISO, but also your own organisation, as it grows and evolves.
“There are challenges, especially in this era of digital transformation,” says Ertel. “Think about the growth of SaaS apps and how targeted they are, and how easy they can be to set up and use. For example, an HR department may decide it wants an app to manage employee goals and objectives. They may go ahead and purchase that app and set it up themselves without involving IT.
“Another concern is now many employees are working from home accessing the corporate network using several devices from their laptop to a tablet to a phone. Suddenly the attack surface has expanded across the board.”
Clearly the evolving nature of the business affects critical understanding.
“One of the key challenges can be maintaining a consistent understanding of ‘where business is done’ and the ever-changing list of internal and external partners that will need to be engaged to collaboratively manage business risks,” says Simpson.
“Staying on top of this evolution requires both technology support and that the cyber function is closely connected to the transformation and/or at least closely coupled with the cloud and DevOps functions, working collaboratively towards common visibility and risk management objectives.”