Recently, a close friend and fellow security executive asked me to think about some life lessons I could pass on to peers in our community who were stepping into their first cyber leadership roles. After much thought, I realized she had a good point; much of the knowledge and experience you gain as a CISO is not about technology but about people, relationships, and technology intertwined within a business and how the resultant risks impact operations. The lessons you learn from managing these challenges will shape the future roles in your career, and they will directly impact how you lead and mentor your teams. So the article to follow is some fundamental insights that I have experienced in my 20+ years in IT and Cybersecurity. Like many of us in Cybersecurity today, we have had our heads down and worked nonstop during this pandemic. Our jobs became more complicated as our respective organizations pivoted to remote work.
I have been no different from anyone else during the last two years. I partnered with my organization’s CIO and IT team to fully implement a cloud-first SaaS architecture and a security stack to protect it. Over the last twenty-four months, I have worn both technical and strategic hats at times as I built a new security program to safeguard this infrastructure. Through long days and evenings on video calls working on issues and managing daily operations, I reminded myself that I also needed to manage my stress to be an effective leader. Much of that process is based on personal lessons I have learned myself or from peers in the cyber community. I believe these life lessons are critical for security practitioners to embrace as they mature and develop their career paths.
So let’s have some fun; the following are just a few insights to get us started, and don’t forget you will learn more as you accept new challenges in your career, and these lessons will mold the professional you become.
- Change is an opportunity — when I first started working as a part of a technology team, I would dread changes to my daily routine. Even as I matured and gained experience working in IT and later Cybersecurity, I hated any unknown changes to my schedule; they were interruptions to my plans and disturbed the flow of my team. Until one day, I realized fighting change was making it worse. Instead, I should look at it as an opportunity, but with constraints. Those constraints were I started to do long-range plans that I would share with my team and peers in the other business units. I began to advocate with my peers in the business that we should sit in on each other’s project meetings for awareness and share our long-range plans. I found getting enterprise awareness across the organization allowed my teams and me to plan better and understand the impact of our operations and projects. Over time this reduced unknown changes and facilitated a more manageable change process. So think of change as an opportunity to grow, gain more knowledge, and have a positive impact but put guidelines in place, making it a business process.
- Flexibility is good Self-Care — I have remarked that working in Cybersecurity is like working in an environment of stability and chaos. The setting is fluid with changing threats, new technologies, and laws/regulations that lag in meeting these challenges. With that in mind, to be effective as a CISO and for your mental health, be flexible. To approach the opportunities change brings you and your team with an open mindset. Be open to innovative ways to solve problems; sometimes, the answer to an issue isn’t a new control or technology but the removal of one and a change in the process. Being flexible allows you to build partnerships with other teams, organizations, or peers who may have the answers you need. Flexibility enables you to adapt to the challenges you and your teams face and reduce the inherent stress cyber brings to all of its practitioners.
- Our career field is a discipline — Cybersecurity is a discipline; it’s not just one subject but a branch of many intertwined and integrated into the varied non-technical disciplines found in business today. This taught me how broad our field has become and how many coming into the cybersecurity field today are from these non-technical disciplines. This diversity is good for our community; I believe it will be a shared experience in the future for most security leaders to have backgrounds from other business fields. This insight is essential when working with non-technical peers and executive leadership who may not realize how extensive the fields of study, technologies, threats, regulations, etc., have become in Cybersecurity. This knowledge helps you as a CISO when managing systemic risk and educating peers and fellow executives on how security is not just one business unit, one department, one budget expenditure, or one security executive. Instead, security is in every decision businesses make today, and it requires everyone engaged as a team to manage its varied components effectively.
- Your job is a marathon — This is an aspect of Cybersecurity that I believe causes much of the stress and burnout in our community. Working in cyber, you have to accept that there is never an end to your job. It’s not like you go to work one day, the company is secure, and you have nothing to do — it’s all quiet. We know our career field is continually changing, the threats and vulnerabilities we mitigate continue to grow, and then we still have the daily operations and management of the security program and its technology stack. To manage your stress as CISO and help your teams with their stress, it’s best to look at the job as a marathon. Approach daily technical operations by setting a comfortable work pace for your teams to focus on serving the business. Then as team operations become stable, plan how you can be flexible to challenges that may impact their schedule and start planning long-term for new projects or services to support future business requirements. Smooth and steady is good here; there is no winning the race as this race has no end. I know from experience that doing this well enables the security program to grow and be a valuable partner to the business. It will also significantly help you and your team members manage stress, and you should see a reduced number of burnout issues within your teams.
- It’s Cyber; you will break things — One of the hardest lessons I had to learn working in this career field is we sometimes break things. Many of you reading this article may not understand why this is an important lesson. Well, think about it. If you are a CISO or working as part of a security program, you will have policies and controls that guide what security services are provided inside your company. Those services can be traced back to a stack of interconnected disparate technologies. These various systems may be on-premise, cloud-oriented, or hybrid. Not all of these systems are designed to be integrated. It’s not uncommon to have significant challenges when implementing new configurations on one system, breaking something on another. The lesson to learn here is as a CISO; your technology stack should never be stagnant. You will always be looking to improve it, and things will get broken in the process. However, if you follow proper cyber hygiene and have network maps, data flow diagrams, and critical backups of systems and configurations, breaking something is just a minor inconvenience. So accept you will break things and plan accordingly.
- Don’t be afraid to be a hacker — Being a hacker isn’t bad; I see it as one of the more enjoyable parts of my job as a senior CISO. The lesson here is in Cybersecurity; many of the challenges you face will not always have an apparent approach on how they should be remediated. There will be times you will need to be creative, and part of this process is understanding the controls you have implemented via your framework can be modified. Yes, I know for some of you this is heresy — well, tough. I view controls in a security framework as a roadmap to a specific end goal, but businesses significantly influence these controls. As the senior security executive at your company, this is where your inner hacker needs to come out and get innovative. As a CISO, you must be willing to partner with the business and take input from peers to develop an approach so the company is thriving while you effectively manage risk. From experience, I have had to work with dev teams that required old servers to be available as they worked to decommission a product under contract. Now I could have been rigid, demanding they follow specific controls, or I was going to shut them down, but that would have significantly exposed the business to legal issues. Instead, we updated the servers as best we could, and I installed other monitoring controls. In working with the dev team to solve this issue, we removed this risk six months ahead of schedule. The lesson here is along with being flexible, you can be creative, so don’t be afraid to be a hacker and redraw the lines when needed.
- You don’t need to know everything — I honestly believe in Cybersecurity today, it is impossible to know everything about the numerous domains within our career field, and that’s ok. It took a long time for me to get comfortable with “not knowing enough.” The way you deal with this is to understand you need to educate yourself on your chosen career field. You typically start with technologies, regulations, frameworks, etc., that impact you today and start preparing for what you think will be required tomorrow. This education process is continuous but doesn’t need to be done all at once. Break it up into different categories, like focusing on the technologies in your current security stack or the threats, regulations, and issues facing your current industry. Then set some time aside, whether it’s an hour a day or several hours on the weekend. Use this time to read a new article, study for a new certification, build a new Linux project, or gather research for writing a book. What’s important is accepting you will never know enough, and implementing this continuous education plan will pay dividends as your career matures and you face challenges. Don’t forget this issue applies to everyone in Cybersecurity; you are not alone, so be willing to reach out to peers in the community from time to time for assistance, and please, when asked, help someone if you can.
- Cyber is about the long view — Earlier, I discussed approaching the job as a marathon. As a CISO, you need to set the pace for yourself and your team that enables you to complete projects on time and effectively manage daily security operations. The marathon view is the tactical approach; it’s the day-to-day maintenance and procedures or, as many of my peers say, the “daily care and feeding of a security program.” Now comes the other side of the job, which is the strategic approach. This different approach takes the long view; it is having an enterprise view of the organization and planning one to three years out. It’s not only preparing for changes in the security stack or updates to controls but also partnering with peers in the other business units and understanding their needs and how you and your security program will support them. It includes understanding the political, regulatory, and cultural changes in play that may impact you and the business. The long view takes time to develop, and it’s hard because you are planning for challenges that haven’t happened yet. What’s important is developing the discipline to mature this view and periodically updating it so it’s tuned to your organization’s needs. This lesson was a challenge for me, but I realized in developing this view that I could see and avoid possible roadblocks detrimental to my teams and my company. As you take the long view, one final point is that it requires you to collect information, speak with peers (both internal/external to the company), and continually adjust, so be patient and build this as an executive skillset.
- Good Customer Experience = Job Longevity — I remember the first time a mentor told me there are no “stupid users” that it doesn’t matter what an employee may have done to make their corporate computer a digital wasteland. I needed to view them as customers; without them needing my assistance, I wouldn’t have a job. This was the first time I realized I was there to serve, and if my customers were happy, I could have an excellent long career. This lesson that I learned years ago has shaped my view on developing my security teams and building an enterprise security program. I view Cybersecurity as a service, and as the CISO, it’s my job to use my teams, the technologies/services in my security stack, and the policies/procedures of my program to manage the systemic technical risk of my company. To do this effectively, my teams and I need to be visible and open to our customers, they need to know what projects and challenges we are managing, and they need to trust us. The last piece, building trust, is the hardest but the most important. Through building this trust, our customers hopefully have a good experience, see the value in the services and controls we provide and are willing to work with us even if sometimes we slow them down. Remember, they are your customers, and you serve them, so treat them with respect.
- Controls + Supposed Value vs. Impact — This next lesson is critical for those who are building security programs or implementing new controls. It is essential to understand that each control has a “supposed value” to the business that we hope is for the company’s betterment. This value can reduce a type of risk, or it can allow new services to be used by internal business teams. The lesson to learn here, and I, unfortunately, have been burned by this over the years, is understanding that the value of a control may be great for the security program, but the impact on business operations is detrimental, so how valuable is it? When making changes to controls, you need input from your peers in the other business units. Controls are not just “on” or “off”; you can adjust them to reduce some level of risk or minimize their shock to current business services. So it’s essential to gather information outside your security team to tune your controls for the right level of risk mitigation, be willing to compromise, and use secondary controls if needed.
- One hundred percent controls don’t equal complete security — In my years of working in both IT and Cybersecurity, I have known many tech executives chasing the dream of being 100% secure by installing all of their chosen frameworks controls. The lesson I have learned and wish to impart to you here is nothing ever achieves 100% security. If humans are involved, there is always a factor of unsecureness <smile>. This doesn’t mean you don’t use a risk management framework to establish a foundation for your security program. Instead, I am trying to impart that some controls are more important than others, and you need to know which ones are critical for your company at its current level of maturity. Then think of other processes, procedures, or policies that may be put in place to manage the human factor within your security program and networks. In learning this lesson, I really got to understand systemic risk. How many small pieces of various programs, technologies, processes that are stitched together may work well, but when you lose one or two of those pieces, you have a cascading effect that can cause significant damage or risk exposure. So don’t get fixated on completing the controls checklist; instead, focus on the minimum viable controls the business needs now, manage your human issues, and then adjust as required.
- Internal and external relationships are critical — I am fond of saying security doesn’t thrive in a box; it needs to be out in the open and seen by customers to demonstrate its business value. Part of that process and a critical lesson for you as a security executive is establishing relationships with external/internal peers and internal business unit SMEs. Its establishing relationships with executives, partners, vendors, and customers. Through these relationships, you learn more about the company and where you fit in the overall scheme of operations. You establish champions for your security program and customers who value how your teams serve them through these relationships. Through these relationships, you learn about challenges that may shake up strategic plans or opportunities where you can step in and help the business. As a CISO, it is imperative for you and your teams to understand you need these relationships to thrive and be effective.
- Brand and Business Culture are forces of nature; respect them — These two forces of nature I have seen buffet many a well-meaning CISO and their established security programs. The brand generates revenue; as a CISO for a company known by its brand, you represent them whether you want to or not. The lesson to learn is you must be careful in what you say and post online. It would be best if you also had a business awareness of the brand and its use to drive revenue. If you were the CISO for, say, Nike as an example, would you do a conference where you are wearing a competitor’s shoes or a competitor’s branded clothing? I worked for a security company and wanted to buy a product to remediate an immature control. I could not purchase the solution I wanted because they were a competitor of our brand for several of our products. Instead, I had to select a different vendor. So it’s essential to understand the brand, how customers view it, and that you, as a security executive for the company, represent it, so be an ambassador. The second issue here, Business Culture, can be just as strong and entrenched as a company’s brand. Culture drives how employees work, the processes they follow, how they relate to each other, and whether they will accept change. This last piece, change, is a prominent challenge security professionals face because managing risk is all about change. No one likes to change how they do things, even if it’s for the company’s betterment. It’s human nature to push back against change, and companies with entrenched business cultures are not friendly to making adjustments to “how we do things around here.” The lesson for managing this second issue is, as a CISO, you have to be visible and advocate for security. Teach employees the value of the changes you want to make and explain how this is good for them at work and home. Flip the script and call these innovations or transformations to the current process that provides new services. The core thing to remember for both brand and culture is it takes time to build trust; you make changes in small increments and remember to leverage champions/peers in the various business units. This is where the relationships you have established are essential; they help you protect the company and its brand/culture as it transitions to new, more secure business methods.
- Take a chance, get involved in the community — Finally, the lesson here is about leaving a legacy. As I mentioned earlier, you will never know everything. Our career field is too broad and constantly in flux. This isn’t a bad thing; in fact, it’s why I love our community, and it’s why I consistently advocate for people to get off the sidelines and get involved. Even if you are new to Cybersecurity, you can help at a conference, speak at a BSides, mentor high school students doing a CTF event. There are so many opportunities to be a part of our extended family. So the lesson here is to grow your family, so you have people to learn from and lean on when times are hard. You have new friends who can tell you about a role that would be great for you in your career or a new mentee who seeks to learn from you as they mature into tomorrow’s security leader. Don’t be a taker, be a giver, be a servant leader and join the community.
This list is by no means all of the life lessons I have learned while working in IT and Cybersecurity, and I am not finished yet, so I expect there will be many more to come. My hope in writing this article was to provide a window into the challenges and opportunities security leaders face. Plus some insight into what I have learned when faced with these adversities.
I look forward to meeting many of you this year at conferences as we come back together and hope to hear how you have triumphed over these last couple of years. Blessings to all of you and your families. Be safe, and don’t forget we are stronger together as a community — so get involved.