The CISO role has evolved in recent years. CISO’s don’t come just from technical and security backgrounds anymore. Each organization has their own distinct vision for how to solve their security needs whether they are customer, regulatory, or industry driven.
I started out my career as an external auditor, with the goal of becoming a CFO. I later took a job on a security team that utilized my compensating skills performing risk and control gap assessments and providing consulting across the company’s departments.
After that, I transitioned to a company that needed expertise in technical privacy and GDPR, which steered me toward the CISO role here at Devo. Turns out, a compliance background is a great fit for security. Privacy, risk, and reporting are such mission-critical functions–they weave their way into every security decision a company makes.
But other backgrounds can produce effective, high-quality CISOs who contribute to more diversity of thought and, in turn, better business outcomes. People who’ve held down jobs in customer service, law enforcement, the military, business operations, and security research (to name a few) all have the type of skill sets and training that organizations need to lead security in the 2020s. I, for one, am counting on it. I’ve recently changed the job descriptions for people I hire to ensure we’re getting that next generation of security experts and future CISOs with diverse backgrounds.
Let’s look at some of these backgrounds and the skills they bring to the CISO role:
Customer service: Extroverts who have mastered the art of upselling in a restaurant, for example, have the patience and the people skills to manage a complex array of stakeholders. Getting the board, the security champions, and the “resistors” to agree on a vision is their specialty.
Law enforcement and the military: Professionals from these fields are doing well as CISOs. They tend to operate in a black-and-white fashion – no room for gray in the middle. If you’re trying to create or realign a security culture, one of these so-called “enforcer CISOs” can get it done.
Business operations: CISOs from business operations may not know every last security protocol, but these people are terrific at tactical plans. They can speak the business language and partner with security specialists to guide a strategy.
Executives: So-called “executive CISOs” understand the business and can manage people. They’re less focused on technology and the strategic aspects of securing operations than they are on making deals and advancing the business. These executives have a business background but didn’t work in security. They delegate extensively and approach the job as a series of tasks to be solved.
Visionaries: Security researchers who are intellectually curious problem solvers have the drive and the aptitude to create a CISO’s vision and get people to buy in. They communicate well cross-functionally across teams. They’re especially good at assessing the strength of a security organization, proposing out-of-the-box solutions, and moving quickly to get them implemented.
“Compliance CISOs”: Executives like me bring the mentality of an auditor to specific tasks and to the job as a whole. If there’s a potential “data spill,” for instance, my nature is to get on a call and determine what’s happening. If it could be a misconfiguration, what is the process around this configuration? What team is involved? When did it happen? I look at the risks, the controls, and processes that lead up to a misconfiguration.
Fact is, you’re never going to find a CISO who is an expert in every part of the job. Security is a multi-faceted function that demands deep broad knowledge in so many areas. If you don’t have deep expertise in coding, access management, business operations or cloud security, surround yourself with people who do. Then use your own set of skills to lead your team by strategizing and working towards meeting corporate objectives.
If I realize I’m not strong in a particular area, I reach out for help whether it is in my team or another functional department. If I tried to know everything, that could be a problem.
Unlike in past years, there’s no one path to the CISO function. That’s not going to change. Each company is going to find its own way and develop its own style. Hiring a CISO with the background and skill set best suited for the company is the surest way to success. And being able to pivot as the company evolves over time is crucial to that.
If you’re a security leader looking to improve your SOC operations with elements such as automation, read Four Elements Security Leaders Must Consider When Building an Autonomous SOC.