Around ten years ago, I crafted a blog article called, Top five mistakes new IT security leaders make.
You might be amazed to find out that, despite all the progress and transformations in the technology and cybersecurity sectors in the last decade, the guidance I provided is still applicable, and these aspects remain major concerns — with some fresh nuances.
As a brief recap (although it is advisable to peruse the complete article), here are the five key pitfalls I outlined back in 2013:
1)Transitioning into the role of “Dr. No”: You’ve prepared a checklist and ticked off all the items. Now, armed with your newfound security authority, you’re all set to clamp down on all the negative occurrences within your organization. Proceed with caution…
In spite of the instinctual urge for security leaders to get tough, you don’t want to be labeled as the “party pooper.” Your objective: Earn a reputation as a facilitator of secure technology and ingenuity.
2) Neglecting to expand your professional network, from all angles: Emerging security leaders should consider cultivating trustworthy connections with every level of the organizational hierarchy (from superiors to peers to ground-level personnel). Step out and engage with your clientele. Familiarize your face within the relevant circles. Participate in vital enterprise committees and task forces during the initial year. Take a stroll around. Step out of the office. You’ll appreciate it later on.
3) Overemphasizing internal focus for an extended period: No public speaking, no blogging, no social media, no external committee involvement. This field is akin to No. 2, but external to your firm.
Constructive public relations (both internally and externally) demands time and effort — but commence early. It will prove beneficial for you and your team during challenging times. Constructive communication and positive narratives about your team’s accomplishments ought to form part of your roadmap to triumph.
4) Inadequate vendor management/relationship practices: You can veer off the path on either side of this issue with external partners. Certain security leaders dedicate all their time to security product and service companies, devising roadmaps, lifecycle blueprints, fresh upgrade strategies, and more. They transact with the never-ending list of established enterprises and buzzing new security startups as if it were a full-time occupation. Some exhibit a clear preference for one or two particular firms based on previous encounters or personal friendships.
Conversely, others adopt a different approach, believing they possess superior knowledge or that security vendors are their primary hurdle to overcome. They evade meetings with vendors as it can consume a substantial amount of their valuable time.
5) Absence of a mentor: Strangely, numerous fledgling security leaders believe either that they can manage solo, no one has traversed their specific path before, or they lack the time for an external mentor.
Risky decision. Identify a reliable, esteemed mentor as swiftly as conceivable in your fresh role. It will prove beneficial in myriad ways. And someday, reciprocate the favor and mentor one or more budding leaders.
REVISIONS FOR 2024
What’s absent from this enumeration?
A prevalent, yet entirely accurate, impression that most novice CISOs possess is the necessity to conduct a foundational risk appraisal of the enterprise. This is usually something that most recent CISOs execute correctly since it is frequently obligatory and/or vital to gauge advancement against standards.
However, lesser known or conspicuous is evaluating your personnel in conjunction with the processes and technology. Undoubtedly, numerous fledgling cybersecurity leaders are required to comprehend audit findings, controls in place (or lacking), identity management, integrated frameworks (such as CSF 2.0), both functional processes and less successful ones, and other checklists pertaining to risk areas.
Several suggestions related to “people matters”:
1) Encompass yourself with specialists who can fortify your weaker areas and aid in identifying blind spots.
2) Cultivate a cohesive team especially fluent in cooperating. (Fun fact: This elucidates why numerous head coaches in collegiate and professional sports bring along their staff when transitioning roles. Astute leaders realize the significance of trust and how the entire establishment’s success or failure hinges on the momentum of trust within your leadership ensemble.)
3) You can even gauge the efficacy of relationships in a comprehensive manner. For a comprehensive guide on how to achieve this, refer to this article on appraising CISOs.
This facet of building a team, while contemplated by numerous new security leaders (whether CISOs, security directors, or under any alternative epithet), is frequently arduous to actualize in our present milieu where securing talent is challenging and retaining them proves arduous over protracted durations. This scenario can be particularly acute in the public domain where remuneration, perks, and stock options are generally meager.
Nevertheless, as I have reiterated on numerous occasions, I would prefer a squad of adept, trustworthy, diligent security professionals as opposed to a team solely comprised of security “celebrities” who excel — albeit lacking my trust.
Other security leaders exclusively recruit individuals inferior to them, fearing potential overshadowing.
The takeaway: There’s a risk of faltering on either side of this spectrum, therefore dedicate effort to selecting and backing your squad.
Before concluding this blog post, I wish to guide you to typical causes leading to failures among all security experts, which intersects with this compilation of potential successes and setbacks for CISOs in several aspects.
CONCLUDING REMARKS
Upon sharing a LinkedIn version of the 2013 article, I received a slew of remarks. Several of those pertained to CISOs who boasted sound managerial acumen but lacked adequate technical competencies. Here’s a comment from Jean Pawluk:
“Well expressed. I [am] starting to see too many CISOs though who have absolutely no technical background, who simply don’t grasp security, obstruct progress by focusing 99% of their time on managing upwards as opposed to understanding their org’s security needs or averting incidents altogether. They prefer assuming almost all risks as they believe it’s cheaper to resolve later.”
My response: “Jean – I wholeheartedly concur. I think one can sway in either direction. Either insufficient technical proficiency or others who encounter difficulties engaging with senior management and the business. One of my assertions is that, truthfully, it is even more intricate than that. There exist five (or six) sets of relationships and skills that necessitate examination.”
In concluision, each fresh CISO arrives with assets and liabilities into their leadership capacity, yet we can glean insights from others’ encounters and evade the pits awaiting you along the way.
About Author
