I am asked often these days by businesses, churches, not for profits, middle governing bodies about the role of a Chief Information Security Officer commonly known as the “CISO.” With more and more emphasis being placed on data privacy and security, with more laws and regulations coming down the pike, everyone will be affected, and the need for professionals filling that role will become a necessity.
So let me share my thoughts on what it takes to be a CISO. My thoughts are based on personal experience over thirty plus years in the industry. I have seen CISO’s come and go, and it is not an easy job and here is why:
Information Security (InfoSec) professionals are technical individuals, and no one questions what it takes to be “technical.” These are individuals who at the core of their existence thrive to fight cyber attacks. For many, their career ambition may be to rise to the level of Chief Information Security Officer (CISO) in their organization or another over time. The market demand is high for the role and leadership of a CISO. Many CISO’s today are inheriting the additional position of Chief Data Protection Officer due to various new regulations and laws that are emerging globally.
Specific characteristics and/or attributes are in the DNA of all great CISO. As a retired CISO of a large financial institution, and with thirty plus years in the industry, working for some of the most amazing technology companies on the planet, I can say there are four pivotal attributes, skills, or expertise depending on your perspective. In my opinion, a person must pose and acquire these attributes to achieve “greatness” as a CISO. This will not occur overnight, and for most who strive to be a CISO or those who are just entering the ranks of a CISO and now are wondering how do I become a great CISO, I have narrowed down the requirements to four attributes. Let’s put aside all the technical skills and experience we traditionally talk about being associated with InfoSec people and CISO’s. Let’s all agree the technology is a given. Let’s put aside all the academic degrees and courses one has taken, and most definitely set aside all those industry initials after your name. The technical skills, the degrees, the initials after your name will not make you a great CISO, but they will let you do the job adequately.
The four pivotal attributes are Clarity, Scalability, Predictability, and Authority.
- Clarity – is the hallmark of a good CISO. Clarity is expressing the essence of the cyber and data protection operations: People and technology. For example, Industry best practices are embedded in ERP applications to drive efficiency. Processes are integrated with cyber tools; the art of Clarity is demonstrated by understanding the inter-workings of those processes and the cause/effect on the organization and the patterns created by their use every day. Then the KEY is being able to tell their story. To say the CISO story and not make it about you! Transparency is often the “guilty bystander” in InfoSec programs and efforts. Clarity is the demonstration of comprehension and intelligibility of the CISO. Clarity is the transparency, perception, and understanding of the world that the CISO lives and brings knowledge to in its most understood expression. To be appreciated by all in the enterprise.
- Scalability– Understanding the patterns of change. “Seeing the patterns shift,” or as in the most overused phrase in business, not to ignore Wayne Gretzky’s advice: ‘I skate to where the puck is going to be, not to where it has been.’ Is at the heart of scalability. As the cyber and data protection team and product grows, seeing the patterns that will tell you what processes will break? And knowing when they will break is inherent in understanding scalability. Do you understand the models that will inform you of what process methods break and when? For example, are the career patterns of your team scalable to double if circumstances dictate? Do the customers you serve in other departments, and the customers of your organization grasp the necessity of scalability? Risk evolves. The risk is scalable. Scalability is not something you will budget for the following year. Scalability is sustaining performance all the while enjoying efficiency and economic control of the situation. A CISO must be able to view scalability through the lens of an economic perspective, a principled perspective, and philosophical perspective.
- Predictability– Knowing what you know and what you don’t know, are the cause/effect of predictability. The art and science of being able to assess and providing feedback to the entire organization, and not just those in the technology department or compliance area. “Seeing the storm coming before the clouds arrive” is a saying I tried to live by in my past career. In the life of a CISO, predictability is both comforting and boring, and that is a good thing. Predictability gives the organization a sense of calm and security. At the core of predictability is intuition. I am defining intuition as knowing all that there is about how one’s organization lives and thrives day to day. Predictability is the law that governs phenomena. It is a necessary ingredient of the scientific method, it is inherent in what a CISO must do to be successful.
Now the least understood and most important attribute for the aspiring CISO.
- Authority– Authority is never a right, it is always a duty. Hence, I am not talking about “authority” which is granted by a greater power in the organization. Authority cannot be forced. Authority is not earned. Authority, demands humility, benevolence, and understanding. And in legitimacy, authority offers protection, guidance, and progress. Authority is not Power. Authority is not leadership. Authority presents itself when you create trust, loyalty, and a deep connection to your vision and values. Authority is growth through suffering. Viktor Frankl once said: “If there is meaning in life at all, then there must be meaning in suffering…What is to give light must endure burning.” Authority is “hard-earned wisdom.” Virtues are forged in the sea of “meaning,” and this promotes authority. The growth of a CISO isn’t inevitable in the job; you have to do the emotional and relational work to process your suffering and thereby understand your meaning that you give to the role of a CISO.