[BreachExchange] 3 Hiking Principles That Made Me a Better CISO

[Destry Winant]

https://securityboulevard.com/2021/03/three-hiking-principles-that-made-me-a-better-ciso/

When I am not studying the newest cybersecurity threat or preparing an
enterprise and its employees for the next inevitable cyberattack, I
can be found traipsing through California’s Sierra Nevada or in the
depths of Death Valley. It was during these adventures that I
developed both my mountain sense and found the quiet solitude to
proactively strategize around new and creative security initiatives.

A career in cybersecurity is a never-ending path of trial and error,
and to be a true leader in this space, you are expected to have all
the right answers – especially when an enterprise finds itself at its
most vulnerable, at the hands of a cybercriminal. In response to such
dire situations, I’ll share three important realizations I’ve come to
during my time outside the office that have ultimately made me a
better chief information security officer (CISO).

Turning Mountains Into Hills

Overzealous new mountaineers, backpackers or security practitioners
are often found biting off more than they can chew. The combination of
the excitement and the desire to get to the top can cause both
overestimation of speed and lead to “summit fever.” This combination
can quickly lead to fatigue or excessive risk taking – dangerous
scenarios for both an adventurer and a CISO.

This situation can happen repeatedly in the cybersecurity industry.
Driven by the sense that there’s too much to do and that everything
needs fixing immediately, we take on roadmaps that are overly
aggressive or that are so narrowly focused that we lose sight of the
big picture. This leads to burnout, and the likelihood of missing more
risks in the periphery.

As one of my mountain mentors once told me: start out slow, go go go;
start out fast, never last. As I’ve grown in my role as a CISO, I have
learned how to ensure I am not ushering my team towards failure, but
instead, inspiring them to take threats one by one and learn when they
need to take a step back and reevaluate the path ahead. It is
acceptable to tackle a hill before moving on to a mountain, especially
if it means you will be better prepared to take on a more threatening
adversary.

Read the Map, Read the Mountain

When planning to climb Telescope Peak (11,043 feet above sea level)
from Shorty’s Well in Death Valley (262 feet below sea level) for a
total climb of 11,311 feet and more than 40 miles round trip, I spent
hours reviewing maps and trip reports, while completing dozens of
miles of desert-heat training to prepare. At midnight, under a
moonless sky with temperatures still at 85 degrees Fahrenheit, we set
out up Hanaupah Canyon. As the day wore on, we covered substantially
more distance than we had planned and realized that continuing this
trek would have us near the end of our water rations in one of the
driest places on Earth. We turned back. Planning is an important part
of mountain travel, but the maps and plans are merely representations
of what you will experience. You must look around, ask if the actuals
are occurring according to plan and, if not, be ready to adjust.

The same approach can be applied to cybersecurity. We are often
building plan after plan; however, the ability to adapt rapidly to new
realities is critical to success. Equipping a team to be able to
handle this churn gracefully is a skill that a CISO must instill in
them – especially before a cyberattack hits. Every attack is unique,
and what worked for another organization might only cause further
damage to your own. The ability to adapt, learn and adjust must be
solidly ingrained within a team so they can compare reality to the
original plan and make sound and safe cybersecurity decisions.

The Leader Must Not Fall

Improvements in climbing equipment allow for “safer falling” than the
old hemp lines of yore; but, for many mountaineers, this remains an
important maxim. If you are responsible for a group of climbers and
you make bad decisions that result in your injury or death, you expose
your entire party to serious risk. Leaders fall for a variety of
reasons in the mountains: overconfidence and bravado, lack of
consultation with the team, gaps in technical knowledge and so on. All
of these are preventable if a leader has developed self-reflection
skills and has done an honest inward analysis. Some falls are not
preventable; if those end up being the anomaly, you will come out all
right more often than not.

This concept maps closely to our role as leaders in cybersecurity. As
a CISO, I must always ask myself if I am doing things that are
motivated by the mission of the CIA triad (confidentiality, integrity
and availability) and in the best interest of my team at all times.
Building a cybersecurity program requires compromise, collaboration
and negotiation – in summary: politics. On top of that are the
realities of being a human – my behaviors, beliefs and ideas all add
up to the sum of how I operate in the business.

“Am I executing my duties in the best interest of my people, and
demonstrating the ideals that keep us moving?” is a question I am
always asking myself. I cannot prevent all falls, but the ones driven
by a lack of self-awareness or hubris are never acceptable, as they
endanger my team and the mission of keeping our enterprise safe from
the next cybersecurity threat.

In the summer of 2020, I huddled with my partner, under a large
granite boulder, at 12,500 feet, in the shadow of the most spectacular
mountains in California as thunder crashed around us. We had made
plans, knew our route, trained and then set out for the summit, but
the conditions changed and we turned back. As we headed down through
Shepherds Pass, the thought of how these real-life lessons applied to
my role as a CISO crystallized in my mind. When we reached camp, I
came to understand the relationship between the mountains and the
practices I bring to the cybersecurity industry. As an individual, I
have brought my mountain adventures to my career and the realization
that as a team, we are the sum of our experiences.

I may take inspiration from the mountains, my program manager may form
his ideals from his life on a sailboat and my network engineer might
find his drive through his experiences as a Marine. A team of diverse
thinkers and security practitioners is built on bringing useful
personal lessons to the table that can shape our effectiveness and
steer us clear of hazards.