[BreachExchange] What in the World Is a CISO?

[Destry Winant]

https://www.tripwire.com/state-of-security/featured/what-in-the-world-is-a-ciso/

Whilst employment has taken a downward curve over the last year or so,
there are a variety of approaches I use when applying for a role to help my
CV stand out. One key point is knowing what the job entails before
submitting my cover letter and CV. This allows me to tailor my message
effectively. Additionally, it enables me to find positions that I might not
have originally considered. One position I think more people should be
aware of is a CISO. What does this actually mean – besides being made
redundant when a breach is announced? I have personally worked within a
CISO-as-a-Service position, but I wanted to get some more insight from
those who are working in the trenches daily in an in-house CISO position.
Below is what I learned through speaking with some brilliant contacts:

What I thought being a CISO was:

https://3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com/state-of-security/wp-content/uploads/sites/3/Picture1.gif

https://3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com/state-of-security/wp-content/uploads/sites/3/Picture2.gif

https://3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com/state-of-security/wp-content/uploads/sites/3/levar.gif

https://3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com/state-of-security/wp-content/uploads/sites/3/tenor.gif


Having worked within the cyber security and technology industry for over a
decade, I have seen brilliant examples of leadership and not-so-lovely
managers. Over time, I have noticed the difference is found in how the
senior person approaches their role. Leaders are people who strive for a
positive experience, are able to delegate and are willing to let colleagues
work in their own way, all whilst retaining a holistic view that is
forward-looking.

As with all industries, it can be difficult to understand from the outside
what it truly takes to get to a specific position or what the role itself
actually requires. It is also important to note that no role is created by
a cookie cutter – diversity of skills, experiences and more can enhance the
organization’s strategy and coverage. In fact, research carried out by
Mckinsey & Company titled “Delivering Through Diversity” from 2018 revealed
that gender diverse senior leadership led to a 20% profit increase – ethnic
diversity even higher. Within security, diversity of thought, skills,
points of view, experiences, gender, culture and more bring layers of
knowledge, considerations and insights that others might not consider.

The role of a Chief Information Security Officer (CISO) is no exception to
the need for diverse persons. What I found from speaking to contacts within
the CISO position was that it is quite easy to find one type of CISO – that
expected cookie-cutter with similar backgrounds – but difficult to find
diverse persons.

Thankfully, I have the privilege knowing many excellent persons who have
broken that mold and who became truly excellent CISOs focused on empowering
their teams and bringing security to the forefront of their products and/or
service.

On a typical day, what is your focus:

“My job is to ensure cross functionality does not turn into
dysfunctionality” – Ian Thornton-Trump, CISO at Cyjax.

The number one response I got from my contacts was that their role is to
keep up to date on security news and trends in order to identify how that
may or may not affect the organization. Taking those industry insights, a
CISO then translates and communicates that knowledge across the different
teams and departments.

“In addition to making sure I’m up-to-date with any relevant, emerging
threats and that any in-flight projects related to current strategy are
still ticking along, I work to stay on top of the plethora of emails
related to daily BAU activities.” – Becky Pinkard, CISO at Aldermore Bank
PLC.

One response that stood out to me was Christian Toon, CISO at Pinsent
Masons, who shared that a critical piece of his role is ensuring the team’s
well-being and how enabling them to succeed is actually the key to his own
success.

“More recently the team, that they have what they need (approval,
resources, strategy, direction, moral support, mental well-being, &c) to be
successful,” he said.

One person I always enjoy getting insights from is my long-time friend Ian
Thornton-Trump, CISO at Cyjax. What is Ian’s daily focus?

Coffee, read intel reports flag items of interest to the Threat Intel Team
to make sure they are on top of things – they generally are. Take a gander
at social media and plunge into the work of the day be it media commentary,
reporting or marketing campaign related – very unlike CISO but we are a
start-up so everyone contributes cross functionally. My job is to ensure
cross functionality does not turn into dysfunctionality, so I work with the
COO very closely. I also have a role in product development and public
advocacy for the importance of CTI as a robust, effective and inexpensive
solution to help against cyber-crime.

Whilst each response is different, we can already see a theme throughout –
the role of a CISO is taking that holistic view of the organization.
They’re about knowing their team and empowering them to achieve what they
need whilst knowing what’s next in terms of the threats confronting the
organisation.

What being a CISO really is:

https://3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com/state-of-security/wp-content/uploads/sites/3/Picture4.gif

https://3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com/state-of-security/wp-content/uploads/sites/3/Picture3.gif

https://3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com/state-of-security/wp-content/uploads/sites/3/ferdinand.gif

https://3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com/state-of-security/wp-content/uploads/sites/3/bernie.gif

What is the true purpose of a CISO?

Whilst you might feel we’ve answered this already, I was curious what my
connections thought their purpose was. Speaking with Wolfgang Goerlich,
Advisory CISO at DUO Security, he explained that, “The CISO negotiates with
peers and business partners. The CISO marshals support, budgets and people.
The CISO protects the organization by securing the technology that enables
the organization.”

Becky’s response was within the same thread: “The true purpose of the CISO
is to interpret and align the company’s risk appetite with security
opportunity to create and then drive the best strategy for securing the
business and ultimately to ensure the right security for customers.”

To me, both Wolfgang and Becky’s responses go back to CISOs having that
holistic view. It’s about taking stock of all the little complexities along
the way, ultimately lining them up and appropriately assessing them.

Ian highlights this further: “Leadership and awareness of what is going on,
why it’s going on and who may be victimized by the events unfolding. “

What area would you say you are best in?

You may have heard the following many times: “The more senior your role,
the less hands-on/technical you can be.” However, I found an interesting
point that both Becky made.

My cyber security career consisted of hands-on, technical roles for the
first 10 years, which has helped me immensely as my career has grown on the
management and CISO side – I think this is my strongest area, as a result.

Whereas, Wolfgang tells us if he could ‘go back’ and focus on one skill
before ‘leveling up’ to a CISO, it would be on specializing.

It’s fashionable to talk about the C in CISO. The CISO is a business
executive first, a technologist second. That’s true and it’s often said.
The longer I’m out of the trenches, the more difficult the technologist
aspect of the job becomes. I would level up on Infrastructure-as-a-Service
and Software-as-a-Service security.

Meanwhile, Christian sees the value of his interpersonal skills and
understanding people: “I’ve recently perfected the perfect home brew ale,
oh wait, security thing… for me it’s all about the soft skills – bringing
people together to achieve what needs to be done to best secure the
business.”

At times, being able to see through what someone is saying, breaking down
the words and reading between, is Ian’s greatest asset. he shares.

Is bulls**t detection on the list? Understanding the noise of FUD to
discern an interesting event or product in the marketplace. There is a lot
of FUD to sort through, be it an article that vastly overstates the
“danger” of a new vulnerability or a vendor that claims they are the 100%,
well, anything. Sure, with 20+ years in the industry and a lot of time in a
uniform, I’ve picked up a few tips and tricks, but at the end of the day, I
would say I’m adaptable, and adaptability helps build an agile organization.

If you could go back and focus on one skill before ‘leveling up’ to a CISO,
what would it be?

Becky and Ian took the opposite views to focus more on the risk and team
management skills. Here’s Becky.

I never ran a risk function, so I’d wish to have spent more time in this
area before landing the CISO role. While I’ve had probably hundreds of
risk-based conversations throughout my career prior to the CISO role, the
language and slant is different from the CISO lens. I think experiencing
ownership of that function in the past would have helped me to feel more
comfortable going into the “deep end of risk” in the CISO shoes!

“Wow tough one,” said Ian. “Certainly, it would not be technical certs.
I’ve got a bunch of them, but as I think about the question, I would say
more opportunities to build teams. Most of my experience has been gained
from ad-hoc team management as either an incident handler or on a security
project or sec ops.”

Whilst your journey in the career is definitely going to affect where your
expertise is and ultimately where you wish you had more experience in, the
constant throughout my discussions were:

Hands-on experience with technology is brilliant and will enhance your
understanding in order to better understand the problems your organization
faces and rate the risks proportionately.
Most importantly, people matter, your team matters and the relationship you
build with them affects your success.

My view is information security is:

People, process, and technology – but people are first for a reason.

Taking a bit of a different view, and actually in line with the whole
purpose of my writing this article to begin with, Christian shares, “If I
could go back, I wouldn’t want to level up. I’d want to start sooner. A
misguided youth didn’t open my eyes to white hat security until very late,
let alone the idea that I could even make a career out of it. But an area I
wish I knew more about is mental resilience and emotional intelligence.”

Reality is, there is no perfect CISO; there is no true cookie-cutter for
either the role or the person. I think organizations would massively
benefit from a variety of persons pursuing this position, adding that
context to industry trends, handling the team effectively and bringing
insights from their industry experience. This can be either with an
in-house or vCISO position. In order to achieve this, organizations will be
required to ensure their hiring process allows for diverse opportunities.
Targeting diverse persons who might be a strong CISO but may not originally
have considered this is most interesting to me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210423/389d959e/attachment.html>