A CISO looking back, “Dear younger me…”
Recently one beautiful night here in San Diego at a concert with my wife of thirty years I listened to MercyMe play a song, “Dear Younger Me.” As I listened to the music, I found myself reflecting on decisions I had made over the last twenty years in my career in both information technology and cybersecurity. I remembered decisions that I made that had a profound impact on my family or employees and decisions I passed on because I lacked experience or the confidence to see my path forward. I found in retrospection this review to be quite sobering and I thought to myself what advice would I have given to my “younger me.” Would that advice have made a difference? Would I have listened and been better off for taking a different path than the one I am now on? For several hours after that concert, I could not get let this go, so instead, I created a list, and finally at 3:00 am the next morning I fell asleep.
I realize now that much of my mentoring, writing, and public speaking has been a way for me to speak to the “younger me’s” that are coming into our community. I hope the following advice provides some value and helps as you walk your path. I enjoyed creating this list, and the memories it contains today are as sharp as twenty years ago.
1. It’s ok to take risks — when I was younger I was risk-averse, it was everything by the book, and I stayed in my box. That is fine as an analyst when you are entry-level; however, when you move up in experience and leadership taking risks is not only expected but required. At times as a leader, you will have to make independent decisions, and you won’t have all of the information so you will have to make a decision. It’s ok, making that decision won’t end your career it will help you grow.
2. An organization's culture can be a friend — I remember many times I tried to fight “this is how we do things around here.” I can’t count the times as a CIO or CISO I bashed my head and department against business culture thinking I would be the person to make it change. Well, years of experience have shown me that business culture improves through trust and visibility. It takes time to build that up with employees, and you can effect change if you put the time in and be patient. Employees have to understand the value of why change is needed and once they do the momentum to do something new can be fantastic to behold.
3. It’s not always a tech issue — as a network engineer and later a security architect I felt many of the problems we had were because we didn’t have the right technology to correct an issue. Years later I now realize many problems facing a security team, information technology team or even a DevOps team can be traced to bad workflows and business processes. Yes, that’s right. I am admitting uninformed business decisions can drive many issues that organizations buy technology to mask. If you are dealing with liabilities, understand the underlying causes before you expend resources to mitigate it, this will save you a lot of late nights and money in the long run.
4. Information Technology department is not the enemy — working in security I have had a love/hate relationship with the IT Department. However, whether you like it or not as a CISO you can’t do your security projects and initiatives without the help of the CIO and her band of merry technicians so learn to collaborate and support each other. Besides, you want to know what projects they are doing so you can manage the risk. To get that trust you need to give some in return and its ok.
5. Cybersecurity is enterprise risk — in security, you are not some digital ninjas, ok sometimes you are. But really, security is about managing risk through the use of processes, frameworks, people, and technology. I am embarrassed that when I was younger, I thought being in cybersecurity was super squirrel special but when you get down to it you are providing services to your organization just like the IT department except yours are different. That doesn’t mean we can’t take pride in working in our career field. I just believe we can serve with humility and be more productive.
6. Working for the government is pretty cool — this is one decision I am happy I made, and I would recommend it for people starting in their career field. The level of experience, authority, projects, teams, and responsibility I received working in federal civil service for six years were pretty unique. The freedom I was given to make decisions, manage initiatives, fail at times, and grow as a leader and mentor is standard for government leaders, and I find it has made me more well-rounded as a security and business executive.
7. Continuing education is part of the job — I have spoken about this numerous times and have learned over the years, if you work in the cybersecurity field you will always be educating yourself on something so get used to it. I fought it for a while, figured I had my CISSP and I was done. Then I noticed the pace of change going on in the business, and I came to the realization I was just getting started. So embrace learning, and it will pay dividends in the long run for you, and be sure to share this knowledge with your teams for their benefit as well.
8. Red flags a warning — I have written articles on this, but I will repeat it one more time, beware of red flags in an interview. I know we all have the sense that we will do great in our new job if we can get that interview to make our case. That may be so, but we should also not be afraid to walk away. If you see the red flags, I mention in the linked article have some common sense to realize you are not getting hired to come in and fix their issues. Save yourself the heartache and sleepless nights and find a role that is a better fit for you and your family.
9. Business knowledge is essential — this may not be required starting as an analyst or a security engineer. However, the longer you are in your career field and move into leadership roles the decisions you make are not always related to technology or security. Many are decisions related to resources, project management, and strategic planning. If you want to be a CISO get comfortable with making business decisions. If you need education and mentoring to mature those required skillsets, don’t be afraid to get them. Completing my executive MBA at San Diego State University was one of the best decisions I ever made.
10. Manage your stress — start early and manage it often. In cybersecurity, much research has been done about the sustained effects of stress on security leaders and their teams. Being military I figured it wasn’t anything different than what I was used to when I was in uniform, so I just accepted the sustained stress as part of the job. I am here to say that is stupid and was a very bad decision on my part. If you don’t manage the stress cybersecurity brings to you as a CISO, it will control you, and you will not like it. Rick McElroy and I spoke about this at RSA this year, and it’s a fact that this issue is having an impact on our community and both of us have lost close friends and peers. Faith, family, friends, plus mentoring and community involvement. Tie that with some physical workouts, and you are on the mend. Take care of yourself; we need everyone in our community.
I am going to keep this list short, in actuality, I was up writing and created a list of over thirty things to talk about, but as my friend and peer, Sam Curry once told me — keep it short, you can always write another article <smile>. In closing, I hope some of these early morning musings help you and strongly encourage you to start early don’t come to the end of your career in cybersecurity with regret — leave a legacy.
***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2 and the author of The Essential Guide to Cybersecurity for SMBs and Developing Your Cybersecurity Career-Path. For those of you that have asked, all four are available in print and e-book on Amazon. To see more of what books are next in our series, please visit the CISO Desk Reference website.