A chief information security officer’s success rides on how they address a few crucial issues, like when to stop an IT project in the name of cybersecurity and whether the staff they hire is accountable and trustworthy.
All leaders face hard decisions. Whether you are a team lead, first-time supervisor or junior department director, those decisions follow you for years and will eventually define your legacy. As a leader’s scope of duties, number of staff and overall authority grow, the impact of those decisions becomes even greater.
The list is long: Which technology or vendor is the best fit? What can motivate that staff member? Is it time to try something different? Do you keep pushing your team harder or give them a break? And so on.
Nevertheless, there are three topics security chiefs face that are especially important because of their role. While other technology and business heads also face these career challenges, these three decisions often determine whether someone succeeds or fails as a security leader.
Back in 2004 I almost got fired when I insisted that we could not put Wi-Fi in our government conference rooms. I said, “We just can’t do it. Not secure. Bad idea. I’m vetoing the project!”
My boss was then-state CIO Teri Takai*, who later went on to become CIO of California and of the Department of Defense. She said, “Dan, if that’s your answer, you can’t be the CISO in Michigan.”
Teri went on: “I’ve been to Dow, Ford, Chrysler and GM, and they all have Wi-Fi in their conference rooms. So you need to figure out what they know that you don’t know, and then come back and tell me how we’re going to implement Wi-Fi securely. I’m giving you one week.”
That meeting started a transformation in my security career. I began to rethink my role, my team’s mission and how we were being perceived. I refocused my tactical and strategic initiatives to become an enabler of innovation — with the “right” level of security. We went on to win awards for secure Wi-Fi deployments in government a few years later.
And there was a larger lesson. I now constantly ask myself: Am I bringing the organization problems or workable solutions? Lesson 1: Be careful with security veto power. Think innovatively about offering alternative cyberanswers.
In 2012, Utah state government made national headlines when a data breach exposed the Social Security numbers of about 280,000 Medicaid recipients. Top government leaders were fired, but the root cause was not poor technology — it was the negligent use of a default password by a network contractor. Lesson 2: Processes and people are the cause of more cyberproblems than poor technology. Getting to the root cause after an incident and mitigating ongoing risk is an imperative.
Do customers trust and respect both you and your cyberteam? More specifically, do you also verify staff trustworthiness?
The insider threat remains a nebulous issue for cyberleaders. While most insider threats are unintended errors, like staff clicking on a malicious email link, most CISOs at least occasionally stay awake at night worrying that a deeper problem lies within the team.
Beyond background checks, suspicions of unethical behavior by staff, peers or executive leadership will undermine future effectiveness and the ability to accomplish security goals. Cyberpros are the protectors of the crown jewels, including data and much more. Personal integrity is paramount.
Lesson 3: Build trust and integrity into every security team relationship and process. I’d rather hire a good security pro who has a great attitude, is trustworthy and is accountable than a great cybersecurity expert whom I don’t trust.