Thursday, April 04, 2013

Jeff Snyder's Weekly Look Into What Makes a CISO / CSO Successful

I’m always looking for new ways in which I can use my position to bring value to the security profession. When I refer to my position, I’m simply referring to the position I occupy sitting between security, risk, compliance and privacy professionals and those who hire security, risk, compliance and privacy professionals. I constantly learn from the individuals I’m fortunate to work with every day so I've been thinking about how I can pass on some of what I learn for the benefit of others.
A few weeks ago I came up with the idea to leverage my position for the good of those who one day aspire to become a CISOs or CSO. For that matter, current CISOs or CSOs who are struggling might benefit from the advice of their successful peers.

The idea is pretty simple. I've begun reaching out to CISOs and CSOs to find out what they think the secret to their professional success is so I can share their secrets with those who wish to one day be a successful CISO or a CSO.

I hope you find this information to be helpful. I’ll try to post a new success secret every week as these points of view are shared with me.

How a multi-national C(I)SO in the global engineering industry views success

In my experience, it is important to have courage and to “speak up” to tell the necessary truths.  A CISO / CSO must be an educator to other executives and business leaders.  This is risky work, but it is necessary and  it is basically all about lived (practiced) integrity.  You need to be able to speak both business language and geek speech, depending on the audience.  

So in this role you are a “translator” on the fly (babel-fish for security) and you must make the necessary adjustments to the techno lingo based on ROI, available budgets and appropriate risk acceptance.  

You need to understand that security is not a technical issue (yes it is at the first look, I know) alone, but foremost it is a people problem.  People use technology (the right way or not).  People follow processes / procedures (the right way or not) and people take risks all the time (knowingly or not).  

So awareness, continuous education and positive messages are necessary to keep reminding employees about the correct ways to do business in a secure manner are in order.  To make that happen, you need to be 100% adaptable to your entire audience, from the board room to the shop floor and vice versa. To be acceptable, you must first build relationships and credibility.

You need to be able to develop security from the ground up.  I call it security “by design”.  Bolted on security solutions don’t work.  Bolted on security is neither effective nor efficient.  

To get there, you need to understand the business and you must create solutions for all the various parts in your organization that “create” something (be it product, software/hardware, website pages, brand and reputation, intellectual property, etc.).  

Your organization’s leaders need to learn to ingrain security into their daily business.'s Security Recruiter Blog