There are some bad behaviors that can get executives in trouble.
Illegal and unethical actions are the most obvious, and they typically make an executive unemployable. Most professionals know to avoid such behaviors if they want to continue their careers.
But there are many other missteps that can halt upward mobility, some of which are less obvious and therefore harder to avoid, according to executives, career coaches, and executive consultants. Plus, there are concerns or actions specific to security leadership that can prove career-limiting.
Following are 10 performance shortcomings that can short-circuit a security leader’s career.
1. Failing to align security to business priorities
This is one of the top requirements for security leaders now, and not doing so will land them on the sidelines.
“Security has evolved from being the end goal to being a business-enabling function,” says James Carder, CISO at software maker Benevity. “That means security strategies, communications, planning, and execution need to be aligned with business outcomes. If security efforts aren’t returning meaningful ROI, CISOs are likely doing something wrong. Security should not operate as a cost center, and if we act or report like one, we’re failing in our roles.”
Carder says CISOs who aren’t yet aligning security to business strategy need to make “a major shift in mindset.”
“Start by accepting that the role has changed. We’re not gatekeepers anymore. We’re enablers of progress,” he says.
2. Being just a technologist rather than a business executive, too
To align security with enterprise strategy, security professionals need to be business leaders, too, says Ryan Knisley, former CISO of The Walt Disney Co. and Costco Wholesale.
That remains a struggle for many CISOs, who still tend to ascend through the security organization and not lines of business — a career progression that leaves many without the skills to tie risk to revenue or measure security effectiveness using business metrics.
“So their role becomes marginalized, and they’re viewed as overhead,” says Knisley, now chief product strategist at tech company Axonius.
He advises CISOs to build their business skills by enlisting professional mentors outside of cybersecurity and getting professional experience also outside of security.
3. Stopping short of a ‘yes’
CISOs generally know that the security function can’t be the “department of no.”
But some don’t quite get to a “yes,” either, which means they’re still failing their organizations in a way that could stymie their careers, says Aimee Cardwell, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group.
Getting to yes requires CISOs to understand the organization’s risk tolerance so they can appropriately balance security controls with the business’ need for speed and ease of transactions.
“CISOs who want to advance their careers are those who are able to say, ‘Yes, and let me help you do it safely and securely and help you do it with more resilience,’” explains Tim Rawlins, senior advisor and security director of NCC Group.
4. Drawing red lines
Rawlins recently worked with a CISO who, when learning of a high-risk idea from his business colleagues, told them, “That’s a red line for me.”
Rawlins advises against issuing such commands, as doing so shows that the CISO is not really focused on business needs.
“CISOs can’t draw a red line and say, ‘Absolutely not,’ because if it’s important to the business, they have to come up with a way to deliver it safely and securely. Otherwise, the business will work around you,” Rawlins says.
5. Being too rigid with the rules
Similarly, CISOs who are too rigid with the rules do a disservice to their organizations and their professional prospects, says Cardwell.
Such a situation recently came up in her organization, where one of her team members initially declined to permit a third-party application from being used by workers, pointing to a security policy barring such apps.
Cardwell worked with her staffer to do a deeper dive into the situation, learning that the app would run on only two machines for two months and was critical for a business initiative.
They opted to make an exception to the security rule and implemented controls — such as creating a service ticket to ensure the app is removed at the expected project end date — to take a calculated risk on behalf of the business.
That, Cardwell notes, demonstrates security’s willingness to be a business enabler and ensures the CISO and the security team are viewed as partners, not obstacles to work around.
6. Getting AI wrong
As artificial intelligence becomes pervasive, CISOs need to mature their understanding of the technology so they can appropriately secure it. Otherwise, they’ll be seen as relics of the pre-AI era.
Yet many security professionals still treat AI “like a typical technology tool, and not as a terrain,” says Jenai Marinkovic, a virtual CTO and CISO with Tiro Security and cybersecurity expert with the ISACA, a professional association focused on IT governance.
“AI is a terrain modifier,” she says. “It alters the adversarial landscape, the decision loops, and even the nature of ‘truth’ inside organizations. Professionals who continue treating AI as a feature will misread their environment and offer solutions to threat classes that no longer exist. Their logic becomes extinct in real-time.”
She adds, “The careers that fail tomorrow will not be killed by laziness or incompetence, but by operating on outdated ontologies.”
7. Failing to have adequate visibility into assets and interdependencies
CISOs who don’t have a firm grasp on all that they must secure won’t succeed in their roles. “If they don’t have visibility, if they can’t talk about the effectiveness of the controls, then they won’t have credibility and the confidence in them among leadership will erode,” Knisley says.
But Marinkovic says visibility today is more expansive than ever before, and those CISOs who don’t model the unseen interdependencies that exist in nearly all organizations today are setting themselves up to fail.
“In hybrid systems, biological, digital, operational, geopolitical, the most catastrophic failures occur at points of unmodeled coupling,” she says. “If you cannot see how your control logic — technical or managerial — interfaces with invisible systems, regulatory, cultural, economic, you cannot govern it. Your career becomes brittle not for lack of skill, but for lack of synthetic perception.”
8. Sticking to yourself
Professionals in every discipline advance in part by helping others do their jobs, becoming trusted partners to their colleagues, and building relationships throughout their organizations. Some people find networking easy, while some roles require the kind of collaborating that helps forge those workplace bonds.
The security function at many organizations doesn’t frequently fall into either of those categories, however, even though building relationships is no less important for both successful security programs and individual career advancement, says Kimberly Roush, founder of All-Star Executive Coaching.
As a result, security workers must create more of their own opportunities. Roush suggests letting colleagues know you’re interested in connecting: Reach out and ask questions; acknowledge others’ successes; set up meetings to learn from others. “You should absolutely be doing those things if you want to have influence beyond your own [department].”
9. Being stingy with your time and attention
There’s no question CISOs are pressed for time, but they need to guard against being so busy that they can’t give their attention to those who come to them with concerns.
“You don’t want to push someone off with a sharp response, because when you do that, then you’ve lost that person for good; you make that person think, ‘I don’t want to work with the CISO,’” Cardwell says.
In such cases people will work around the security function, and they will keep concerns and information about security lapses to themselves.
“I know the first time I shut someone down is the last time they bring me something; so if people bring something to me, I receive it with gratitude,” Cardwell adds.
Paying attention to even small complaints or concerns could uncover significant security issues that if left unchecked could reflect badly on the security team and its leadership, she notes. “That’s why if someone is coming to you with something, you should be curious about what they’re bringing to you. It may expose some really interesting things.”
10. Mishandling a breach
CISOs aren’t the only ones who recognize that a security incident is not a matter of if but when; their executive colleagues know that now, too.
Consequently, an incident isn’t a career-killer anymore.
“It used to be that having a breach would be a black mark for a CISO,” Cardwell says. “But these days I think that’s almost flipped. I’d prefer to not hire a CISO who has never had a breach, because I would prefer that they’ve had to go through a breach somewhere else, learn from that, and then come into my organization with that experience and a better view of what it takes to be resilient.”
Yet a security incident can still tank a CISO’s career if that CISO fumbles the response.
“It’s not handling it well that will kill a career,” Rawlins says.
CISOs need to have a well-rehearsed incident response plan so they can execute decisively, staunch the damage, and quickly move toward recovery, he says. They need to communicate calmly and clearly. They need to be in control.
“It might still be that your time with that employer would be ending. We still see CISOs who have a major breach have maybe 18 months left in their tenure there,” Rawlins says. “But it doesn’t have to ruin your career.”
No Responses