Tuesday, March 26, 2013

As a Security Leader, how well do you communicate your Accomplishments, Contributions and Value to the business you serve?

A security, risk and compliance professional whom I have gotten to know over the past year of so shared a few of his thoughts with me.  He agreed to share the whole story instead of skimming the surface knowing that I would not use his name or any reference to his company in my Security Recruiter Blog.

Let’s call this person John.  John plays a very important role in his financial services company but he is open to a professional change simply because the CEO of his organization either doesn’t see value in what John does or he sees value but he is failing to acknowledge John’s contributions in a way that is satisfying to John.  Consider John’s words: 

“One of the primary reasons I want to leave my company is because I feel that there is no support from the CEO in regards to information security. Security is viewed as nothing more than "checking the PCI box."

Whether the issue is software reviews, disaster recovery or security awareness, any attempt by me to offer any type of improvement is shot down even though many of my suggestions involve a change of procedure which involves very little (or no) financial burden. My job is to write policies, get the company PCI certified and present myself to potential customers when they ask about our security posture.
I report directly to General Counsel who reports directly to the CEO so I would consider myself fairly high up the corporate chain. The problem is that the CEO does not give me the impression that he's serious about security nor will he change his mind anytime soon.”

Since I’m not a bug on John’s wall, I don’t know if John is doing a great job of communicating his value to the General Counsel and the CEO or not.  Since many CISOs report to a CIO and struggle with the conflicts of interest that exist when a CISO reports to a CIO, my first suggestion to John is that he take a serious look at the way he interacts with his current reporting structure before he jumps ship.  On paper, John has a great reporting structure.

Many security leaders come to me telling me that they’re not actively looking but they would consider a move if they could step into a more favorable reporting structure.  These words more often than not come to me from CISOs who are reporting directly to a CIO when they’d really like to be reporting to someone outside of IT just like John.

Rather than wanting to immediately help John make an unnecessary job change, I’d much rather help John to determine how well he is or is not communicating his contributions, accomplishments and value to his executive leadership.  There is a chance in this situation that John’s CEO simply doesn't care about information security.  

On the other hand, there is also a chance that John’s CEO doesn’t understand what John actually does for the company. If this is the case, this communication breakdown can and should be addressed before John puts his resume on the street.

SecurityRecruiter.com's Security Recruiter Blog