To be or not to be a CISO
Do you aspire to be a CISO?
As a former CISO, I felt compelled to write this article after seeing many articles about the role of a CISO and opinions on how hard it is becoming.
I'm uncertain whether many people today would actually aspire to be a CISO given the pressures, the demands of regulators, third party audits, and looming possibility of a data breach. It is certainly a role that is not for the faint hearted!
Someone recently asked me if I would ever be a CISO again, and it's a difficult question to answer. The things that would make up my mind are the organisation's culture and support, reporting lines, authority, and budget ownership.
Prior to even being a CISO, I had consulted for organisations globally on how to build, develop, and mature successful security programs. I was often asked who the CISO should report to. My answer back then was that it depends! I know I was using the lame consultant answer under the guise that if the organisation supported the CISO and that person was close to the business, then it didn't really matter whom they reported to. Having lived and breathed that role for 5 years, I think that the earlier answer was naive, and now I am of the firm belief that unless you have a direct reporting line to the CEO / COO and board, then you are nothing more than a CISO in name. That sounds harsh, I know, but the reality is if you don't have that visibility, your voice will be muted.
Questions
If I could go back in time these are some questions that I would tell my younger self to qualify with a prospective employer recruiting for the role of CISO:
- Does this position have the support of both the leadership team and the executive board?
- Does the role provide authority to speak directly on matters of security that have impact to the business to the board, CEO and other key stakeholders?
- Is the security program budget owned and managed by someone else?
- Does this role have the authority to enforce policy?
- Is this role only responsible for part of the organisation (e.g., a business unit or product group)?
- Is the security part or CISO part just a subset of the role?
The role
The role itself is not purely technical, in fact, some people in the role are not technical at all. Being technical, in my humble opinion, does help, but you will need to balance that skill set with solid business acumen, risk management, project management, people management, and prior experience working in large enterprise organisations to give you the edge to do well in this role. If you don't have that broad experience, I'm not saying you won't succeed but you will find it a lot harder. Having the battle scars and learnings from being in the trenches and being able to lead, inspire, and instill confidence are qualities you are going to need.
So, would I do the role again?
If the stars align and always being up for a challenge, then yes, I would!
My parting advice, if you still aspire to be a CISO after reading this is to go into the role with your eyes wide open, listening is a key part of the role, be prepared to be challenged and confronted, be adaptable and ready to think on your feet at a moments notice, be ready to be tactical as well as playing the long game and be careful what you wish for! Finally, I'll leave you with this extract of a poem called "IF" by Rudyard Kipling:
"If you can keep your head when all about you, are losing theirs and blaming it on you, if you can trust yourself when all men doubt you, but make allowance for their doubting too; if you can wait and not be tired by waiting...Yours is the Earth and everything that's in it, And - which is more - you'll be a Man, my son!”