Lessons Learned as CISO
When I first stepped into the CISO role, I had the tremendous benefit of receiving help and advice from a number of seasoned CISOs and CSOs. Having now filled roles for several years, there are a number of things (in no particular order) learned from my experience that I would like to pass along to others.
Teamwork is cruical
Building rapport and working relationships, both internally and externally, are very important. You won’t be able to get very far if you’re not able to get others on board with your security initiatives.
Hire people that are smarter than you
This doesn’t mean to grill prospective employees for random tidbits of technical knowledge like a trivia quiz. Put aside that list of common “trick” interview questions aimed at tripping up the candidate. These serve little purpose but to put the interviewee on edge.
Instead, have a meaningful conversation. Discuss specific experiences. Learn how they would approach various scenarios. This said, not everyone has a type A outgoing personality. If a candidate is having difficulty verbalizing their thoughts, put a pen or marker in their hand and have them draw or white board their solution. This will often put technical folks at ease, and you will learn much about their thought process and decision-making skills.
Listen to your team
This is advice I need to remind myself of often, learning to stop, take a breath, and listen to what my team members have to say. It is often easy to jump to conclusions or make assumptions about where they are coming from. If you have hired smart people, you’ll want to sit back and take the opportunity to learn from them and their experiences.
There have been numerous occasions where I thought I understood the situation and had a decision in mind, however, after healthy conversation with my team, my mind was changed on a position or course of action. Don’t miss out on the benefit of other points of view and experience.
The single best advice I have for communicating with others is to put yourself in the other person’s position, and communicate to their perspective. In other words, if you were that other person, what information and context would you be looking for? Think about that and deliver your message accordingly.
Not to pick on the network guys with my example here, but network engineers see everything from the network perspective. Each device has an IP address. They typically don’t care about host names or server functions. If you’re having communications issues between hosts and you present your issue as two IP addresses failing to communicate on a specific port, you will have their attention. Similarly, if you’re working with a project manager, present your concerns with them the perspective of how it effects the project, milestones, and overall timeline.
This also applies to situations when you need to tighten permissions or implement restrictions. Often, affected users take these restrictions personally, whether it really effects them or not. Something that I always do when communicating these changes is to identify and emphasize items and results that will benefit them.
For example, when removing unnecessary elevated privileges for system administrators, which is critical for maintaining proper separation of duties, is not something they need to take personally as a reflection on their skill or trustworthiness. Instead, it has the immediate benefit of protecting them from making a costly error. Also, if a forensic investigation ever takes place, focus is placed on users having access to the affected systems. Limited permissions can prevent users from having to be questioned as part of an investigation.
Maintain proper focus.
Don’t lose focus of the big picture. Understand the full scope of your responsibilities, and where your bigger risk areas are. It’s so easy to get caught up in a “fire drill” related to a specific risk, issue, or vulnerability. When you find this happening, take a moment, step back and keep focus on where this fits in the overall picture.
If you find yourself in the throws of a compliance audit where it feels like nothing is going well, your team is buried in evidence requests and findings from the auditor, realize that there is a bigger picture. Your overall security posture is much larger than any one compliance audit. Learn what you can from the audit process, make positive adjustments to your security program where you can.
I hope that some of these suggestions are helpful to others who are just starting out in security leadership, and perhaps ring true with other more seasoned security veterans.