Over a decade ago, I penned a blog post titled, Key blunders made by new IT security leaders.
It might come as a surprise, but despite the technological and cybersecurity industry’s advancements over the past ten years or so, the guidance I provided remains pertinent even today. These areas of concern still prevail, albeit with some fresh perspectives.
Summarizing briefly (though I do suggest perusing the entire piece), here are the top five stumbling blocks I outlined in 2013:
1) Becoming the “Denier”: You’ve compiled a list and double-checked it. Now, armed with your newfound security authority, you are prepared to quash all the negative occurrences within your enterprise. Proceed with caution…
Despite the innate inclination of security leaders to wield authority, you should not be labeled as the “fun spoiler.” Your aim: Be recognized as a promoter of secure technology and ingenuity.
2) Neglecting to foster your professional connections, holistically: Fresh security leaders must contemplate establishing trustworthy relationships across all hierarchical levels (from superiors to coworkers to frontline personnel). Engage with your clientele. Make your presence felt in relevant circles. Participate in pivotal enterprise committees and task forces in the initial phase. Step out. Exit your office. You will thank yourself later.
3) Fixating solely internally for excessive durations: No public addresses, no blogs, no social networking, no external group involvements. This aspect echoes No. 2, yet is external to your organization.
Constructive public relations (both internally and externally) necessitates time and effort — but kick off early. It will benefit you and your team during challenging times. Upbeat communication and commendable tales of your team’s triumphs must be part of your success blueprint.
4) Inadequate vendor management/relationship practices: You can “fall off the horse” on either side of this exterior partner quandary. Some security heads devote all their time to security product and service firms, crafting roadmaps, lifecycle schemes, fresh upgrade tactics, among others. They make interaction with the never-ending lineup of well-established companies and trendy new security startups their full-time commitment. Certain individuals exhibit favoritism towards one or two entities based on previous experiences or personal bonds.
Conversely, others adopt the contrary approach, assuming they possess more insights than others or that security vendors pose their primary obstacle to surmount. They evade vendor meetings, deeming them as time-consuming.
5) Absence of a mentor: For some reason, numerous budding security leaders believe that they can manage alone, or no one has ever undertaken their particular role before, or they lack the time for an external mentor.
Misstep. Find a trusted, esteemed mentor early on in your fresh position. It offers numerous advantages. And at some point, repay the favor and mentor one or more nascent leaders.
RECENT OBSERVATIONS FOR 2024
What’s absent from this list?
A prevalent, albeit accurate, belief among most new CISOs is that they should conduct a foundational risk evaluation of the organization. This is a task that many new CISOs execute correctly since it is often obligatory and/or imperative to gauge development against benchmarks.
However, what might not be as conspicuous or widespread is evaluating your team in conjunction with the processes and technologies. Undoubtedly, many fledgling cybersecurity leaders must be acquainted with audit discoveries, existing controls (or lack thereof), identity administration, implemented frameworks (like CSF 2.0), successful processes, and areas of risk.
A few “people-centric” suggestions:
1) Encompass yourself with specialists who can fortify your weak spots and address blind spots.
2) Form a cohesive team. Particularly vital are those reporting directly to you. (An additional note: That is why numerous head coaches in collegiate and professional sports bring their units along when transitioning roles. Astute leaders grasp the importance of trust and how the entire organization’s fate hinges on the speed of trust within their leadership team.)
3) You can even gauge your advancement in how relationships function holistically. For insights on this, refer to this guide on assessing CISOs.
This notion of cultivating a team poses a challenge for several new security leaders (be they CISOs, security directors, or holding another title), given the arduous task of luring and retaining security talent over extensive durations in our present context. This scenario can be particularly pronounced in the public sector where remuneration, perks, and equity options often fall short.
Nonetheless, as I have iterated multiple times, I would prefer a team of capable, dependable, diligent security experts over a squad teeming with security “celebrities” who are exceptional — yet lack my trust.
Certain security leaders only onboard individuals who fall short compared to them, fearing potential overshadowing.
The takeaway: You can err on either side of this issue, but invest time in selecting and backing your team.
Before concluding this piece, I steer you towards common reasons for security professionals’ failures, which intersects with this list on CISO victories and defeats in numerous aspects.
CONCLUDING REMARKS
After sharing a LinkedIn rendition of the 2013 article, I received numerous comments. Some pertained to CISOs possessing commendable managerial acumen but lacking technical competencies. Here is a comment by Jean Pawluk:
“Well expressed. I [am] starting to witness a surfeit of CISOs lacking any technical foundation, failing to grasp security, hindering operations by focusing 99% of their time on managing upwards instead of understanding their organizations’ security necessities or forestalling issues from arising in the first instance. They prefer assuming almost all risks since they believe it’s cost-effective to pay subsequently.”
My reply: “Jean – I concur entirely. I believe one could falter on either end of that spectrum. Either insufficient technical acumen or individuals grappling with linking with senior management and business. One of my arguments is that, realistically, it’s even more intricate than that. There exist five (or six) clusters of relationships and competencies necessitating scrutiny.”
All in all, every fresh CISO brings advantages and drawbacks to their leadership role, yet we can glean insights from others’ encounters and avoid the snares that surely lie ahead.
About Author
