Thursday, February 28, 2013

Jeff Snyder's Weekly Look Into What Makes a CISO / CSO Successful

I’m always looking for new ways in which I can use my position to bring value to the security profession. When I refer to my position, I’m simply referring to the position I occupy sitting between security, risk, compliance and privacy professionals and those who hire security, risk, compliance and privacy professionals. I constantly learn from the individuals I’m fortunate to work with every day so I’ve been thinking about how I can pass on some of what I learn for the benefit of others.
A few weeks ago I came up with the idea to leverage my position for the good of those who one day aspire to become a CISOs or CSO. For that matter, current CISOs or CSOs who are struggling might benefit from the advice of their successful peers.

The idea is pretty simple. I’ve begun reaching out to CISOs and CSOs to find out what they think the secret to their professional success is so I can share their secrets with those who wish to one day be a successful CISO or a CSO.

I hope you find this information to be helpful.  I’ll try to post a new success secret every week as these points of view are shared with me.

How the CISO of a large Bank views success
"Speak the 'lingua franca' of senior management - earnings per share, market share, income & expense, balance sheet, cash flow, business strategy, and so on - and be able to describe how information security contributes to the enterprise in those terms.  There will always be the rare 'galvanizing events' - data breach, natural disaster, fraud, etc. - that open the door to using FUD (fear, uncertainty, and doubt) tactics to promote information security, but this is not a sound basis for a sustainable information security program.

Realize that information security, by and large, is not the most important issue on the minds of senior management that it needs to compete for funding and mindshare with a variety of other activities.  Product and service development, marketing, geographic expansion, M&A, or for that matter, other forms of operational and financial risk, form the larger ecosystem within which information security exists.  Avoid the temptation to be overly strident and placing your cause above all else, lest you be viewed as having an unbalanced enterprise perspective, or worse, being an alarmist.
If you take a risk management approach to information security, and you should, be prepared for the consequences.  Best practice, standards, and legal & regulatory compliance, are no longer 'safe havens' and prima facie justifications for security.  Be prepared to have residual risks accepted that you are uncomfortable with.  And because information risk management, as part of operational risk management, is immature and highly qualitative compared to the more well developed financial risk disciplines, be prepared for discussions that are much more based on opinion rather than fact.
Know your industry, business, leaders, and culture.  Adapt to them.  As much as we would like to view ourselves as agents of change, there are many aspects of the environment within which we work that will require us to adapt our approach to in order to be successful.  A boss I had once gave me this sage advice: We adjust to reality; reality does not adjust to us.
Don't get frustrated because you are always behind.  The seemingly endless number of new threats, and the originators of which who seem to have better funding than you have to fight back are an ineluctable way of life.  You're still fighting the good fight, and reaction is better than no action.  Look for Black Swans, but they aren't called that for nothing."

Care to Contribute?

If you are a CISO or CSO and you would like to contribut your thoughts, please call me so I can explain to you what I'd like to deliver to readers.

Jeff's Security Recruiter Blog