{"id":327,"date":"2024-09-23T07:00:00","date_gmt":"2024-09-23T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=327"},"modified":"2024-09-23T07:00:00","modified_gmt":"2024-09-23T07:00:00","slug":"10-things-cisos-wished-they-knew-from-the-start","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=327","title":{"rendered":"10 things CISOs wished they knew from the start"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Becoming a first-time CISO can be overwhelming. From day one, these professionals, often external hires, must keep the organization secure while juggling a large set of challenges. On one hand, there\u2019s the immediate pressure to defend against a growing array of cyber threats. On the other, there\u2019s the need to navigate organizational dynamics, win over grumpy executives, and prioritize security measures without breaking the business.<\/p>\n

\u201cA successful CISO is a well-rounded leader, excelling and balancing all cybersecurity domains and understanding the complexities of the company and its major stakeholders,\u201d says Mike Britton, CISO at Abnormal Security.<\/p>\n

But that\u2019s easier said than done. Every CISO has their fair share of regrets and a list of things they wish they had approached differently, from doing the boring work properly to building relations or learning to manage frustration more effectively. By sharing these experiences, they offer a valuable roadmap for newcomers, helping them avoid lessons learned the hard way.<\/p>\n

Tech alone won\u2019t cut it<\/h2>\n

Knowing your way around tech is necessary, but not sufficient. \u201cYou\u2019re in charge of securing the business\u2019s information, not just hardening servers and patching laptops,\u201d says Nate Lee, CISO and principal at Cloudsec.ai.<\/p>\n

CISOs should adopt a holistic view that includes people and processes, because the role of technology is to augment everything, says Dimitri Chichlo, CSO at BforeAI. \u201cA superior process associated with weak technology is more effective than a weak process associated with superior technology,\u201d he adds.<\/p>\n

Improvise. Adapt. Overcome.<\/h2>\n

As professional boxer Mike Tyson put it, \u201cEverybody has a plan until you\u2019re punched in the mouth.\u201d This quote<\/a> applies to CISOs as well. \u201cI realized on day one that most of what I envisioned needed to be thrown out of the window,\u201d Britton says. \u201cInstead, I needed to quickly assess what was critical and needed immediate attention, and prioritized those initiatives over long-term, transformative projects. As an external hire, you have to be prepared to adapt your initial plans.\u201d<\/p>\n

Adaptability touches on every aspect of the job, including dodging office politics and creating relationships. \u201cWhile it can be daunting to build credibility, it is also an opportunity to prove your adaptability,\u201d Britton adds.<\/p>\n

When it comes to the ability to adapt, John Terrill, CISO at Phosphorus, has straightforward advice: \u201cGet comfortable being uncomfortable.\u201d<\/p>\n

When an incident happens \u2014 and it will \u2014 CISOs will feel uncomfortable. \u201cYou can\u2019t dwell on that. You don\u2019t have a time machine and won\u2019t be able to go back in time. Focus on the things you can control.\u201d<\/p>\n

Brace for chaos, but set reasonable expectations<\/h2>\n

Granted, no amount of personal effort is going to stop incidents from happening, first-time CISOs shouldn\u2019t feel like they\u2019re defending the company alone. \u201cYou\u2019re not Atlas with the world on your shoulders,\u201d says Terrill. \u201cGood programs come from strong processes, muscle memory, and doing difficult work.\u201d<\/p>\n

That said, CISOs should try to avoid burning themselves out and setting unreasonable expectations. \u201cNo one is going to keep advanced threats at bay by missing a good night\u2019s sleep,\u201d Terrill adds.<\/p>\n

To make sure you\u2019re spending your evenings at home, \u201cinstead of focusing on protection only, dedicate significant efforts and budget for response and recovery \u2014 backup and restore capabilities,\u201d Chichlo says.<\/p>\n

Do the boring stuff<\/h2>\n

Cybersecurity isn\u2019t just about guarding corporate gates. It\u2019s also about keeping all your ducks in a row with lifecycle management, change strategies, and ensuring the IT infrastructure stays solid.<\/p>\n

The backup and restore<\/a> capabilities should be tested periodically to make ransomware less of a concern, and all the other basics should be covered. \u201cHaving an incident response plan based on activities like threat modelling and tabletop exercises is the minimum every CISO should have in place,\u201d Chichlo says.<\/p>\n

Failing to optimize existing platforms is also commonly overlooked. \u201cThis one area leads to alert fatigue, as at the end of the day the security operations staff needs to be able to determine what is a false\/positive alert versus a pending attack,\u201d says Sue Bergamo, global CIO & CISO at BTE Partners.<\/p>\n

As always, maintaining good hygiene and getting the basics right can go a long way. \u201cMost of security is preventative maintenance that equates your role to running something more resembling a computer janitorial staff rather than advanced war fighters,\u201d Terrill says.<\/p>\n

Avoid oversharing technical details<\/h2>\n

While CISOs live and breathe cybersecurity, this is not true for their fellow C-suite colleagues. This is why every CISO needs to make sure they are communicating in a way that is easily understood. \u201cIf you speak technical jargon only, you lose your audience, and they will shift to other priorities,\u201d Chichlo says.<\/p>\n

A common issue with junior CISOs is they overshare technical details. \u201cWe make the mistake of thinking everyone is interested in knowing that we\u2019ve deflected one-million attacks per month \u2014 but honestly, no one wants to hear this information,\u201d Bergamo adds.<\/p>\n

And Renee Guttmann, CISO emeritus and founder of CisoHive, agrees: \u201cDon\u2019t present numbers without understanding their relevance. [\u2026] figure out how to make sense of the numbers.\u201d<\/p>\n

When an incident happens, CISOs should highlight the fact that \u201cthe company has not been subjected to a material breach, [that] revenue and brand haven\u2019t been tarnished, and that the technology in use is effective and that the staff is working hard on overall cyber defense,\u201d Bergamo says.<\/p>\n

Don\u2019t overdo it<\/h2>\n

One of CISO\u2019s main duties is to understand the business as a whole. This allows them to \u201ctake appropriate risks to achieve business objectives,\u201d says Britton. If they enforce protocols that are secure yet too complex, \u201cthey will be seen as a blocker, or worse yet, ineffective in performing their role,\u201d he adds.<\/p>\n

Chichlo recommends first-time CISOs understand that their primary clients are businesspeople, \u201cthose who earn money for your company. Every security measure is a potential constraint for them, and you must balance between security and usability,\u201d he says. \u201cBeing too dogmatic is a credibility, security, and a potentially revenue killer.\u201d<\/p>\n

Terrill is on the same page: \u201cIf you start making it too difficult for people to get their jobs done, you may be more detrimental to the business than an outside attacker.\u201d<\/p>\n

Learn to prioritize<\/h2>\n

Often, CISOs have to work with limited resources, so Chichlo advises them to \u201clearn how to manage frustrations. You will never get the full budget you need to secure your environment,\u201d he says. \u201cYou will (alas) have to prioritize which risks you will address first to maximize the return on your security investments.\u201d<\/p>\n

Given that funds are limited, they should be used wisely. \u201cMost of the time, especially with cyber security products, the solution doesn\u2019t make a problem go away, it creates new problems to solve and more work to do,\u201d Terrill says. \u201cIf you can write a check and truly make a problem go away, that\u2019s the cheapest problem you have.\u201d<\/p>\n

Educate and engage<\/h2>\n

In many companies, employees have limited security knowledge. \u201cThe general awareness of your colleagues regarding cybersecurity risks, whatever their position, is usually basic and often naive,\u201d Chichlo says. This can be changed, though, through effective training done in every department, including IT. \u201cThere is a huge effort on education to be made,\u201d he adds.<\/p>\n

In addition to education, a collaborative environment should be fostered. CISOs should aim for partnerships, rather than point fingers, as they are there to help, not to denounce mistakes.<\/p>\n

\u201cPut as much cybersecurity responsibility as possible on your IT colleagues,\u201d Chichlo says. \u201cSecurity should be by default and by design. Those who operate should be the ones who secure from the inception.\u201d<\/p>\n

Training and on-the-spot advice have to come from a good place and should include empathy. \u201cDon\u2019t fall into the trap of always needing to be the bad guy,\u201d Guttmann adds. \u201cDon\u2019t let other teams make you the bad or fall guy.\u201d<\/p>\n

How about bringing cupcakes to work?<\/h2>\n

It\u2019s a fact: CISOs aren\u2019t exactly the most well-liked people in the office. They sometimes enforce draconic security measures, which makes everyone\u2019s life a tad difficult. \u201cWe\u2019re often the bearer of hard truths and bad news, and the controls we implement are frequently perceived as a source of friction,\u201d Lee says.<\/p>\n

Bringing cupcakes to work every Friday may not be feasible, but connecting with other teams and building meaningful relationships will go a long way. The objective here is to be perceived as a trusted partner rather than an enemy. Or, as Guttmann puts it: \u201cIt\u2019s about influence, not power. The biggest mistake is thinking that sticks work better than carrots.\u201d<\/p>\n

This is why being proactive and building relationships with colleagues go a long way. \u201cUnderstand their needs and challenges on a personal level, rather than just engaging when you need something from them,\u201d Britton says. \u201cThis foundation of trust will prove invaluable when you need support or encounter resistance.\u201d<\/p>\n

The best approach to communicating potentially unpleasant security decisions is to bring all stakeholders to the table early on and make sure they understand the reasons behind said decisions. \u201cPeople are much more accepting of change when they understand the reason why and feel like they\u2019ve had a voice in the decision, even if they\u2019d like a different outcome,\u201d Lee says. \u201cAchieving the title of CISO itself lends no inherent authority. It\u2019s up to you to wield it wisely to build the respect and connections that enable you to really move the needle forward on security.\u201d<\/p>\n

Put your family first<\/h2>\n

While our job often defines us, we should remember that there\u2019s more to life than that. Guttmann regrets missing one of her daughter\u2019s Halloween parades because her boss called her while driving home, and she had to talk to him at length. She missed the event. \u201cA friend of mine took a picture of [my daughter] for me and she was tearful,\u201d Guttmann says. \u201cI kept that picture in my office.\u201d<\/p>\n

When any member of her team asked her for time off for a doctor\u2019s visit, a soccer game, or a school appointment, she simply turned around, took the picture of her daughter crying, and held it up for that colleague to see \u2014 a gentle reminder that work could wait.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Becoming a first-time CISO can be overwhelming. From day one, these professionals, often external hires, must keep the organization secure while juggling a large set of challenges. On one hand, there\u2019s the immediate pressure to defend against a growing array of cyber threats. On the other, there\u2019s the need to navigate organizational dynamics, win over […]<\/p>\n","protected":false},"author":0,"featured_media":328,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-327","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/327"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=327"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/327\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/328"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}