The rumors are true: it can get lonely at the top. As a CISO, I have many teams below me, a board of directors to keep happy and an organization to protect. This is nothing new, and at this stage of my career, I’ve become familiar with the many challenges — and even greater rewards — that go hand in hand with leading.
Of course, it helps that I’ve been managing from the jump. Shortly after I graduated, I started working as a penetration tester, only to discover I was mediocre at the job. Eventually, my boss caught on.
“Jason, you're just such a good people person,” he said. “We're gonna demote you to be a manager.”
And that was the conversation that catalyzed my career.
Since then, I’ve gotten into a whole bunch of fun areas at the cross-section of cybersecurity and management. But if there’s anything I’ve learned, it’s that to do a job and do it well, you need the support of your peers and the wisdom of your superiors. I’m a huge proponent of finding community and connecting with people of a similar mind, passion or profession.
This is why my advice to any prospective CISO is to prioritize people. Don’t wall yourself off — your place at the top will be solitary enough as it is. Instead, build out your network, empower your organization, foster a good relationship with leadership, and look after your employees.
Below, I dive into the four principles that have helped me during my career. I hope they help my fellow and aspiring CISOs as well.
1. A CISO Needs to Have CISO Friends
This might sound obvious, but CISOs need to continually grow their network, and they need to talk to each other. Fortunately, there are infinite ways to do this. I’m currently a member of a Slack channel that has several hundred CISOs on it, and we talk all the time. This is an incredible resource to have on hand — suddenly, you go from being just one of a couple security leaders at your job, to having hundreds of security leaders and experts to tap.
Many of them can serve as a sounding board, which CISOs notoriously lack. You can ask questions about how to handle certain situations, how to identify and address different types of threats. You can learn all kinds of things that can help you do your job better, while making your company even more secure.
In this sense, CISOs are a unique community. We all want the best for each other, and successful CISOs want their fellow CISOs to be successful, too. This is what we strive for, individually as well as communally: to get better at the work we do, and to join hands as we run into another proverbial dumpster fire. Because we’re all fighting the same fight, and in the face of so many evolving threats, we’re not always fighting a fair battle. But by building out our network, getting to know other CISOs and learning even more about our craft, we stand a much better chance of facing down our enemies when the time comes.
2. A CISO Needs to Empower the Business
Any good CISO should implement a strong, foundational security practice. But they often miss one of the most impactful parts, and that’s empowering the business. CISOs need to start asking themselves how they can create value and improve efficiency. They need to ask questions like: How do I help engineering go faster? How can sales be more effective? Because when you finally start putting these pieces together, you're telling a story that executives want to hear and — better yet — that they understand.
This is also a huge confidence booster with the board of directors. As opposed to saying, “I’m going to focus on foundational security,” you’re saying, “I’m going to increase the velocity of business operations.” By focusing on growth and speaking “security” in practical, real-world terms, the board is better positioned to give you exactly what you want.
But getting that business context in there is key, as it moves the conversation away from technical security measures, and toward the big picture: that is, how the company can do better, and how you’re going to help them get there. Once you've empowered the business, then you can really begin to look at ways to innovate.
3. A CISO Needs to Have a Good Relationship with Leadership
One of the responsibilities of a CISO is to communicate with leadership and to be the face of security. For me, fostering a good relationship with the C-suite and the board has always played into this — regardless of the size of the company or the org structure. In one of my previous roles, I didn't report into the president of technology, but I still sat in on the staff meetings because I wanted to be considered part of their team. I did the same thing with sales, so I could see what their priorities were, and where there was opportunity to align our strategies. Above all else, leadership needs to see security as a business enabler, and not a roadblock. Understanding all the moving pieces within the company can help you do just that.
It’s also important to keep things simple. Most executives don’t have a technical background, and conversations consisting of tech-speak and manufactured security presentations will lose them immediately. Instead, convey the value of cybersecurity in metrics that leadership understands, like time and money saved. Don’t get into tools deployed or applications tested. They want to see the impact security has on the business itself.
Finally, figure out how revenue flows in and out of the organization, and what could potentially jeopardize this. Once you’ve started to ask these types of questions, you can begin to map initiatives to what’s top of mind.
4. A CISO Must Elevate Their People
As a leader, I like to think of myself as “humbitious.” It's a made-up word that includes ambitious — wanting to grow and do more — but in a humble and compassionate way. Leading with empathy and care for my employees is part of the reason I’ve been so successful in my career, and this was a lesson that I learned from one of my mentors. I like to think this comes across in my style of working with people, as I really orient a lot of what I do around how I can best help my team.
To me, the most effective manager is one who asks their team: How can I be more impactful? How can I help you be successful? I’ll ask my employees these questions point blank, because my priority is to help them accomplish great things, so that they can eventually get promoted. As an added bonus, by prioritizing career development, the organization will continually level up, proving itself indispensable.
At the end of the day, that’s really what the job’s about. You invest in your people, prove your individual and collective worth to the company, and take your org to the next level. And if you can do all that while being humbitous, even better.
This blog is Jason Lee’s contribution to Splunk’s new book Bluenomicon: The Network Defender’s Compendium that offers perspectives and war stories from cybersecurity leaders and practitioners. Pick up your official copy at the Splunk booth N-5770 at RSA Conference 2023 at the Moscone Center in San Francisco. Swing by the reception at the Splunk booth on Monday, April 24 from 6-7pm to have your book signed by the authors.