Thursday, January 15, 2015

A Top Chief Information Security Officer Shares Her Thoughts on CISO Success for 2015 and Into the Future

In 2015, a Chief Information Security Officer (CISO) has to think like a CEO, not like a Security Architect. Companies have spent many years sitting on billions of dollars waiting for just the right time to pursue a growth strategy.
Corporate employees have been rewarded for keeping the lights on, containing costs and finding success in low growth environments. For most of the “great recession”, it has been good politics to not stretch and to not disrupt comfort zones. In this CISO’s opinion, times have changed. She is now being asked to help her multi-billion dollar employer expand their business.
When the mission is to expand the business, one cannot operate the same way they did when the mission was to contain costs. This approach requires a a different set of leadership skills with a different focus. CISO’s in 2015 are in a position where they need to become business leaders and not just technology leaders.
After building a world-class security and governance program in her current organization for more than a decade, this CISO has recently tested the waters to see what else might be out there. She is ready to either build a security, risk, compliance, privacy and governance program from the ground up or rebuild a program that was not built correctly in the first place.
This CISO has talked with several companies that are either hiring their first CISO or companies that are replacing a CISO who either moved on and left a mess behind or was asked to move on and left a mess behind.
In this CISO’s recent experience, not a single employer she has interviewed with has asked her detailed security questions. She is being asked questions about her leadership style, her leadership philosophy and her ability to build and manage interpersonal relationships across the business. She has been asked questions to demonstrate her understanding of how business operates.
Some companies fear that a CISO will create roadblocks to moving business forward. They form these impressions either from having hired this type of CISO in the past or they've heard stories. Interview processes this CISO has encountered are heavily focused on culture fit. She suggests that companies want CISOs who can help to move their business and their profits forward.
She has been asked to provide a writing sample by one employer to assess whether she communicates in clear business language or shrouds the meaning of her written words within the “deep secrets” and “mystical arts” of technology and security.
This CISO tells me that employers she has recently encountered are placing significant value on what she referred to as “soft skills” and “business acumen”.
Fortunately for this CISO, she has been coached to understand personal strengths and she has invested more than a year of time to improve her emotional intelligence. This investment is paying off in dividends. This CISO tells me that improving her emotional intelligence has made all the difference in performance both on the job, outside the office with family and friends and during her recent interviews.
High performing risk leaders are strong analytically, but must learn to treat people as people and not as equations. Listening more than one speaks and making rational suggestions to executives who own risk so they can make their own decisions with regards to how to handle the company’s risk appetite is the job of today’s security and risk leaders.
Though she continues to receive coaching to improve her emotional intelligence, she is ready to build a new security, risk, compliance, privacy and governance program with a deeper and broader skill-set to offer her next employer more than the skill-set she had a decade ago when she built her first program.
In summary, the best security and risk leaders realize that success is not so much dictated by possessing awesome technical skills as it is about establishing relationships and building trust.
Whether that trust is built between the security leader and other organizational leaders, the security department and other internal stakeholders or the company and its service providers, the goal is the same.
The goal is to protect the company’s crown jewels.
Jeff Snyder, @SecurityRecruit,,, Certified MasterMind Executive Coach, Certified Stakeholder Centered Coach, Certified Emotional Intelligence Coach, Public Speaker.'s Security Recruiter Blog