Thursday, April 25, 2013

Jeff Snyder's Weekly Look Into What Makes a CISO / CSO Successful

What Makes a CISO / CSO Successful?

I don't know how many more of these CISO / CSO success blogs I'll be able to produce.  Coming up with willing volunteers to contribute advice has been a bit more challenging than I thought.  While I'm enjoying reading the feedback that has come in for me to pass along, I'm not collecting this information for my own benefit.

My vision when I came up with this idea was to provide information for up-and-coming security leaders to learn from.  While I don't know every CISO or CSO on the planet, I know more than the average person does.

What I've discovered through this effort is that many of the CISOs and CSOs that I think most highly of are the ones who've been willing to contribute to this project.

Today's thoughts come from a CSO in the Financial Services and Insurance industry

I've known this person for approximately 7 years when I first recruited him for a Bank CISO Job I was working on in New York.

I hope you enjoy today's contribution.

"The leadership of your business desperately wants to be successful. They've read how security problems can undermine their dream, but they don’t really know how to find the right balance between spending money to drive growth and spending money to protect their business. So if you want to become a CSO, you’ll need to help them figure how to find that balance, and then be able to drive the changes for them to achieve that balance. 

Not everyone is going to thank you for focusing on the ugly problems that the business has learned over the years to ignore.  But a good CSO will lead the changes needed to fix the problems standing between security risks that are appropriately managed and those that are not. It takes more courage to do that than most people imagine. You’ll receive as much criticism as praise when you step up to untangle expensive and deeply entangled problems.   Being a good CSO is less about being in charge than it is about being willing to bet your badge to do the right thing, often without the praise or even acknowledgement of the people in the business with the most at stake. Don’t misunderstand. I’m not talking about being dogmatic or sacrificing business for the sake of security. I’m talking about implementing reasonable controls that business leaders publicly claim to encourage and uphold.

I deliberately did not talk about things that lead to public perception of success in the CSO role.  There are plenty of CSO’s who finish their stint with all of the business’s  messy, difficult problems still intact.  Those CSO’s aren't necessarily viewed as failures. But in my book, if you want the CSO role, you need to take personal risk to reduce business risk and if you’re not willing to do that, you shouldn't aspire to be a CSO."
Care to Contribute?

If you are a CISO or CSO and you would like to contribute your thoughts, please call me so I can explain to you what I'd like to deliver to readers.

Jeff Snyder’s Security Recruiter Blog 719.686.8810's Security Recruiter Blog