Social Network For Security Executives: Network, Learn & Collaborate
[Posted on Behalf of Gary Hayslip, CISO Softbank Investment advisor ]
In my 20+ years as an information technology and cybersecurity professional, I have had the privilege to work with and mentor some amazing people. I have learned as a CIO and as a CISO sometimes you don’t always get to pick the teams you build and sometimes you inherit interesting employees from previous leaders. Even with these less than ideal situations, you as a professional must still manage them and it is on you for how they perform and hopefully how they mature in their roles. I sit here thinking about this subject as the faces and personalities whiz by me in a blur. I have always tried to mentor my staff, I even mentor them and keep track of them as they move on and grow in our community. It’s this thought that is driving me to write this article because one of the proudest parts of my career is when someone I have mentored, someone I have worked with who has persevered in their career following their path – even with a few corrections – has accepted a position leading to a CISO role.
In hearing the news from him that the rounds of interviews had finally ended, and he had been selected was a great day to me, even though to him he was awash in doubt and scared of this next big step. I thought about telling him on the phone it's ok, we all have been there, it’s a big change and it will work itself out. But I didn’t feel I could really express what I wanted to say so here we are, I decided to write out my advice and through helping him also help those who follow him.
1. Personal Care – you are stepping up into a role that will demand much from you. Cybersecurity is a constant burn, there is no end to this race you are joining so find time to take care of yourself and don’t let the stress destroy your health, your relationships, or your career. CISOs aren’t supermen, its ok to ask for help and take a break.
2. Culture is Important – as a Security Director, Manager, CISO etc. one of the hardest parts of your job will be the business culture of your organization. I have seen many a peer butt heads with culture and lose which is why I am telling you to accept the culture. Don’t be like a rock getting slammed by this force, instead be a rolling wave of water and be flexible and glide around it. Learn the culture, adapt to it and accept it and use it as an asset to get things done. To start doing this you will need champions in the various business units, you will need to make your security initiatives visible to build trust from employees.
3. Risk is about the grey – don’t fall into the fallacy that in making security decisions its either black or white, on or off, good or bad. You as a security professional are providing a service to your company and the business is what’s important, so be willing to compromise. Risk comes in many shades it's not on you to make the decisions but to provide the information, educate when needed, guide when you can and as a member of the leadership team help select a way forward. Understand this doesn’t mean you accept critical risks; if the business wants to and is willing to, you can still accept their way forward and add some extra controls to help you sleep at night.
4. Cyber is a team sport – collaborate whenever possible. Senior security roles can get very lonely as you deal with the stress of the position but there is nothing that says you can’t reach out to peers for advice and help when needed. Make sure you have peers within your various business units to help you understand your company, peers within the cyber community to help you grow as a professional and peers outside of work to provide you balance as a leader, father, husband, and friend.
5. Get the basics right – no matter what framework you select to manage your company’s risk and build your security stack remember the basics. I have seen the lack of security hygiene burn so many companies because it's so simple it’s easy to forget. Integrate it into your team so it becomes muscle memory so when hygiene is a normal practice for your teams it will give you the breathing room you need to take on the initiatives your board will want you to do as their senior security leader.
6. Team Management – building a solid team can at times seem like an impossible task but remember you don’t need to do everything at once. Two things to remember are soft skills and team fit. Your security team is providing a service to your organization's employees which means they need to work well with people and with each other. So, look for the technical skills you need to manage your stack but definitely add in the people skills that will help evolve your team into one that will be known for its high performance.
7. Be patient – everything you do in cybersecurity will typically rely on another team or department to do something for you so you can complete a project or start a new initiative. Because many cybersecurity services tend to be intertwined with other departments you need to get to know your counterparts and factor in their workflows and schedules when you are building your strategic plan. Now, this will take discipline to monitor so your projects don’t fall behind so get used to factoring in the other business units, cyber doesn’t operate effectively in a box.
8. Don’t forget your community – as a leader in cybersecurity give back to the community. You may not have time in the beginning and that’s ok, but as you grow in your role, I expect you to mentor and fellow professionals who follow you. You come from a legacy of mentorship and servant leadership, I consider it a duty to share and help others and it is this duty that has helped you so I am tasking you brother to step up and mentor when you can. One last thing to remember, even in your new leadership role you will still need mentors, so you are not rid of me yet .