When someone from the IT group gets promoted into security management, a common first lesson is that “geek culture” is ineffective in the boardroom. Just watch one episode of The Big Bang Theory and you’ll recognize the classic nerd character types. Those who behave in that manner tend to get marginalized by executives. We’ve all probably seen the stereotypical security officer quoting policy, telling everyone why something cannot be done. Very quickly, the organization finds ways to route around a Draconian security program just to get things done—though often in dangerous ways. It’s wise for a CISO to remember that every other department in the company has been given marching orders to go forth and conquer, and do what is necessary to make the customer happy. Security leaders needs to follow this mantra, as well. This means developing skills that some hardcore geeks disdain.
The first key skill is communication. The CISO’s job is to explain IT risk in terms of the appropriate business model and mission. This presumes an understanding of the organizational structure and culture, where resources come from, and how a win is measured. This may seem obvious, but many good, smart people heads down in IT departments are often unaware of the day-to-day workings of their organizations. Successful security professionals soon learn they need to open their ears and their minds in order to have influence.
Strong security leaders think in terms of business risk, and not necessarily just technical risk. This is because the executive team operates in a world of business and financial risk. In fact, success in a leadership position is really all about the ability to make good decisions in the face of uncertainty—the definition of risk. Do we acquire that company or not? Do we cut the sales budget or employees? Can we expand in a new area, and, if so, can we maintain our edge? All of these things are business risks. A Distributed Denial-of-Service attack taking down a new streaming service on launch week is also a business risk. So is a privacy breach splashed on front pages of the news. So are the fines and penalties associated with a significant material weakness in a regulatory audit. In these terms, leadership can understand and react appropriately to cyber threats. The CISO’s job is to be the subject matter expert on IT risk and properly translate it into business risk for colleagues and leadership.
Another trait essential for security leadership is understanding the duty of service. Simon Senek1 said in Leaders Eat Last, “Leadership is the choice to serve others with or without any formal rank.” Security leadership is no different—we must be helpful and guide the organization through the perilous rapids of the Internet. If we must say “no,” we should also step in with alternative solutions. Security should always act as a solution provider to help the business best minimize unnecessary risk. We should be honest and clear about costs and real world impacts. At the same time, we need to avoid sowing fear and distrust as a means of persuasion.
Toughest of all, we as security leaders need to realize that we are human and can’t know everything about technology, security, and compliance. When the situation arises, we have to be able to admit with confidence when we don’t know something. It’s always better to say “I don’t know but I’ll find out and get back to you” than to make guesses about things we don’t know about. In the end, trust and reputation is what is makes or breaks a good leader.
I’m hoping many of you are nodding your heads as you read this. For those of you who aren’t, take this as a reminder about our true mission and goal. Lastly, if you are an aspiring CISO (and I hope you are, because we need more of you), remember that your communication and diplomacy skills are just as important, if not more, than your technical skills as you climb the ladder.