A blog post I authored over ten years ago called Top five mistakes new IT security leaders make, might surprise you by remaining relevant despite the evolution in technology and cybersecurity fields. The advice shared in that post is still crucial, although with some newer nuances.
As a brief summary (recommended to read the full article), here are the primary pitfalls highlighted back in 2013:
1)Becoming “Dr. No”: Creating a list of do’s and don’ts, ready to wield your newfound security authority to halt all unfavorable activities in your organization. Caution is advised…Despite the inclination to be stringent, you don’t want to be labeled as the “party pooper.” Your aim should be to facilitate secure technology adoption and innovation.
2) Neglecting to develop a comprehensive professional network: New security leaders should focus on cultivating reliable relationships across all levels of the organizational hierarchy (from superiors to peers to frontline staff). Interact with customers, reinforce your presence in relevant circles, engage in essential enterprise forums and working groups during the initial phase. Step out, mingle. You’ll appreciate the effort in the long run.
3) Concentrating solely on internal matters for an extended period: Avoiding public speaking, refraining from blogging, steering clear of social media, and skipping external engagements like committees. While akin to No. 2, this pertains to activities outside your organization.
Constructive PR (both internally and externally) entails time and dedication — commence early. It will fortify you and your team during challenging times. Promoting positive communication and recounting tales of your team’s accomplishments should be part of your success strategy.
4) Inadequate vendor management/relationship practices: You can veer off course on either end of this issue with external partners. Some security heads devote all their time to security vendors, crafting roadmaps, devising lifecycle plans, formulating upgrade strategies, and more. They treat endless sessions with established enterprises and fresh security startups as a full-time occupation. Some individuals exhibit bias towards specific companies due to past experiences or personal affiliations.
Others adopt a contrary approach, presuming they know better than anyone else, regarding security vendors as a major obstacle to overcome. They avoid vendor interactions, deeming it a waste of valuable time.
5) Lack of a mentor: Many new security leaders erroneously believe they can navigate solo, assume their role is unprecedented, or claim they lack time for an external mentor.
Regretful decision. Quickly secure a reliable, esteemed mentor upon assuming your new position. It offers myriad benefits. Eventually, reciprocate the gesture by mentoring one or more novice leaders.
2024 Updates
What’s absent from this list?
An often-accurate assumption held by most new CISOs is the necessity of conducting a foundational risk assessment of the enterprise. This is a task many new CISOs manage well as it’s often mandatory and/or crucial for tracking development against benchmarks.
However, less evident are assessments of personnel in conjunction with processes and technology. Undoubtedly, many burgeoning cybersecurity leaders must familiarize themselves with audit findings, existing controls (or lack thereof), identity management, implemented frameworks (such as CSF 2.0), functional processes, areas of concern, and other risk-related checklists.
A few “people-centric” recommendations:
1) Enlist specialists who can fortify your weaker aspects and rectify blind spots.
2) Form a cohesive team. Particularly critical are those under your direct supervision. (Side note: Many head coaches in collegiate and professional sports bring along their staff when transitioning roles. Astute leaders comprehend the significance of trust and how organizational dynamics hinge on trust speed within the leadership team.)
3) Evaluate your team’s harmonious functioning in a holistic manner. Refer to this article on evaluating CISOs for detailed insights.
Cultivating a team poses a significant challenge for many novice security leaders (be it CISOs, security directors, or similar titles). Acquiring and retaining security talent over prolonged periods is notably tricky, especially in the public sector where compensation, perks, and equity options often fall short.
Nonetheless, as reiterated multiple times, I’d prefer a team of competent, reliable, hardworking security professionals over a squad of exceptional security “celebrities” in whom I lack trust — even though their skills are outstanding.
Some security leaders avoid hiring individuals superior to them, fearing being overshadowed.
The crux: You can stray on either end of this spectrum, but invest effort into selecting and endorsing your team.
Before concluding this post, I direct you to common reasons for security professionals’ failures, which intersects with this list of CISO successes and pitfalls in various aspects.
Concluding Remarks
When I shared the LinkedIn version of my 2013 post, I received numerous comments. Several highlighted CISOs with managerial experience but insufficient technical acumen. Here’s a comment from Jean Pawluk:
“Well said. I’m observing a surge in CISOs lacking a technical foundation, failing to grasp security nuances, becoming obstacles by focusing excessively on managing upwards instead of understanding their organizations’ security needs or pre-empting issues. They prefer assuming almost all risks as they believe it’s more cost-effective to address them later.”
In response, I stated, “Jean – I fully concur. The balancing act can tilt either way. Insufficient technical prowess or difficulties blending with senior management and the business. The reality is more intricate. There are five (or six) sets of relationships and competencies necessitating examination.”
To sum up, every fresh CISO carries strengths and weaknesses into their leadership role. Learning from others’ experiences can help you sidestep the inevitable challenges.
About Author
