8 Tips for Being a Successful CISO

8 Tips for Being a Successful CISO

Companies that take cybersecurity seriously know that it isn’t just an IT issue. It’s a strategic business process.

Digital transformation. IT modernization. Big data. Cloud computing. It’s no wonder that business and technology are changing faster than ever.

Most C-level executives know that technology is rapidly transforming business, while business is transforming technology.

That means more security considerations than ever before. No longer can CIOs just put up a firewall and call it security. Nor are any technology decisions, especially security decisions, made on the fly.

But even more importantly, as security risks increase, so does the visibility of the ever-important CISO at the board level.

Organizations of all sizes understand that as new technologies emerge, so do the security risks.

According to Cisco’s 2017 Annual Cybersecurity Report, 93 percent of the 2,796 companies surveyed experienced a security alert in 2016.

Addressing these events and developing an effective security strategy to protect against them requires time and expertise.

It also requires a modern CISO. Someone who can manage all of these areas effectively and efficiently while keeping up with business demands and staying ahead of the next security breach.

According to a January 2017 report by McKinsey&Company, called Protecting Your Critical Digital Assets, it’s important to understand that, “By actively engaging the business leaders and other stakeholders as full thought partners, the CISO will help establish the important relationships for fully informed decision making on investments and resource allocation.”

So, hire an experienced, knowledgeable CISO, and you’re all set? Right?

Not exactly. “Most organizations today don’t understand what the CISO role is for,” says Gary Hayslip, deputy director of IT and CISO for the City of San Diego.

“They don’t understand that having a CISO and an effective team under the CISO is an amazing asset. Cyber is not one thing. It’s in everything,” he says.

What has changed?

The better question is, what hasn’t changed?  Today’s security models are evolving faster than ever. They are mired in complexity. Fueled not only by increasingly sophisticated attacks, but by the ever-expanding threat landscape created by technologies such as cloud computing, mobility, virtual data centers, the Internet of Things, and more.

Securing organizations today clearly calls for a well-defined security strategy when facing all of these challenges and complexities.

This need for solid, modern security strategies has prompted the rise of the CISO role. It’s become ever more prominent as CISOs stress the importance of protecting all aspects of the business, from technical needs, such as managing security updates, to more strategic planning such as defining a change management program.

With the many technologies connected to one another, from networks to tablets, to smartphones and servers, there is a need for protection in more places. This means that CIOs alone can’t manage IT, security, and risk. What was once just one part of the CIO’s job is now becoming a full-time job for the CISO.

“Companies that take cybersecurity seriously know that it isn’t just an IT issue. It’s a strategic business process,” Hayslip says.

In fact, CISOs often can’t manage all security issues, which is why some choose to outsource various aspects of security. Today’s CISO must understand short- and long-term impact of every risk and solution available.

They must also have a full understanding of the business. They should also understand past and present risk situations to make informed decisions that ultimately prevent breaches.

“You don’t purchase a security solution and sit in a closet,” Hayslip says. “Cybersecurity is continuous. We’re upgrading and changing technologies all the time. When the environment is fluid, you have to move in continuous mode.”

However, the reality of getting the necessary resources and budgets needed to protect against cybercrime and other security risks is not always easy.

Getting executive buy-in is a must. Hayslip notes that the hardest part is getting all the stakeholders to understand what cybersecurity actually is, as well as the value that the CISO brings to the table.

“[The execs] really don’t understand the risk involved in every technology decision they make,” he says. “It’s not just a matter of upgrading technologies, moving to the cloud, and saying we’re good to go.” Rather, it’s a matter of having a strategy in place and continually assessing and monitoring all risk areas of the business.

Understanding the Modern CISO

With technology moving at exponential speed, it’s essential for organizations to understand intellectual property and data protection, risk management, forensics and investigation, business continuity, and disaster planning along with regulatory compliance. And today’s CISOs must have technology expertise coupled with strong business acumen and cybersecurity skills. Hayslip shares his ideas on how to be a successful CISO and ensure executive buy-in:

  1. Think of cybercrime as a business issue: A CISO knows that security is not just about email. Focus on all business risk. The CISO should be able to present cybersecurity issues in business terms and offer a strategy that includes an executive briefing, the risks and costs involved, and an execution plan.
  1. Know your networks: Do a hygiene assessment and understand everything that is connected. And what it’s connected to. Do a thorough Top 20 assessment, take inventory, and gain visibility of what is on the network. Then create a network map and perform any needed patch management before you begin anything else.
  1. Understand how your organization does business: Get out and meet with all departments. What does each department do? How do they do it?  What type of data do they have? Are they in compliance? Consider security as a risk assessment service. Not as good guys vs. bad guys.
  1. Improve your business skills: The CISO is a strategic asset, and executive boards expect CISOs to speak to their language. You must be able to explain the value of being a CISO, what your plan is, and how you will achieve it. Learn how to address security in terms of the business focusing on the revenue impact, user impact, and value. Learn to collaborate and present data that tells a story. If you keep discussions in a business context, the value of cybersecurity will be much better understood.
  1. Keep learning: Continually keep up with all security risks, and learn more business skills. If possible, get an MBA, or take business classes at a junior college. Learn how to do basic spreadsheets on cost and revenue. Take advantage of online training programs such as Lynda.com.
  1. Get involved with the CISO community: Reach out to your peers, CISO discussion groups, and websites that share resources. Join organizations, such as Peerlyst, where CISOs can receive and offer advice to one another, post blogs, and share opinions and advice. Mentor a new security professional.
  1. Be resourceful: Subscribe to business and security research firms to stay abreast of the latest security trends. Get resources from your peers or from startup companies. The more resourceful you are, the easier it is to get the funding you need from those who hold the purse strings.
  1. Know how to explain your role: The role of the CISO is to know not only the latest security risks and threats, but also how to think in business terms and show the executive team what you need, what your strategy is, and the value you will provide by being one of the essential assets to the organization.

Today’s CISO must be fluid, as technology and cyber threats are constantly changing. Understanding your business, knowing what’s at risk, and having communication skills will give all stakeholders a greater appreciation of what’s required of CISOs to keep organizations secure and successful.


Joyce Chutchian is a freelance technology and business editor and content strategist.

Did you like this article?


Risk Management & Security