My reflections as a CISO

Stepping into a management role can be daunting. In this article I will do my best to explain how my experience has gone as a Chief Information Security Officer.

The management role

You have to face it: you are no longer the security techie who can dig into logs for days at a time. You are now expected to make plans, run risk assessments, and understand where the business sits on security. You own the area, and you need clear, concise plans to move it forward. That can seem daunting, but if you have been accepted into the role you should be up for it.

Being part of management also means being visible, showing commitment, and having confidence in the plan. Security is far more than technical speeches and deciding which boxes to buy. A big part of the job is spreading awareness, and to do that you have to be at least somewhat of a people person. A few things that help me stay visible:

Be careful not to be too hands-on. Security should be baked into business processes as naturally as possible, not something everyone points at and expects to fix itself. This is genuinely hard, because many people will assume you are there to solve things for them. My analogy: you are not the dust boy cleaning up after everyone. Instead of cleaning up the chef’s spill, you teach them to work the kitchen. You are there to help them cook better, prevent the spill, and clean up after themselves.

When someone says “Hey Chris, you are the security guy, right? I have this thing,” I interrupt them. I tell them I am not the only security person, they are one too. The business expects it of them, and we all need to stay aware. Security is not something we point at, it is something we incorporate.

Do not be a victim of the security roller-coaster

If you do your job perfectly, management never has a security incident to worry about, everything is great, and you get the budget and team you want, right? Not really. If everything is always great, you have less of a chance to defend your budget, position, and team. Why? Because nobody knows about the good work you do every day. Remember the attacker your team stopped but you never took credit for? Unless you tell the organization, they will not know, and leadership may start to wonder whether your position is surplus.

I am not saying you should let something bad happen so you can swoop in and save the day. The opposite. Do what many security leaders fail to do: report on everything you actually accomplish. Report on the events hitting your firewall and IDS, the script kiddies you stopped, the malware you blocked. You are probably attacked many times a day, and your team, tooling, and budget are fending it off. Say so.

That is the roller-coaster: if you do not report on the value you provide, you become a candidate for budget cuts and layoffs. If leadership sees everything as perfect, they may decide they do not need a dedicated security function and cut it. Then they get compromised in the following months and hire a new CISO. Up, then down. The business made an investment in you, so make sure they know it is a good one.

Want to become a CISO?

Know what you are getting into. This is not necessarily a technical role. You largely make your own days, but you are expected to focus on business and strategy, with less time for the hands-on work so many of us love. Expect a lot of paperwork, because security decisions should be anchored in policies you can point to, and those often need formal management approval. You will likely work on an Information Security Management System, which requires real documentation, but sealing the deal with approved policies is genuinely rewarding.

As you climb, you will do less security work and spend more time telling others what to do. Be sure you can appreciate delegation over doing it yourself, because good leaders delegate. That frees you to tackle the truly important challenges, and following up on what you delegated occasionally lets you get your hands dirty again.

As an engineer or architect the job is about you: the hero, the guru, the expert. In management it is about we. It is no longer about you, it is about your team.

Final words

If you are an aspiring manager, do not give up. Let everyone know how you feel about security, let your passion show, and make your enthusiasm rub off on others. Take action and lead. Sometimes pointing at things is not enough, you have to do it yourself. And to current managers: I hope you avoid the roller-coaster. A good leader enables their team to make their own decisions, and an effective team jumps at opportunities instead of just doing what it is told. That culture comes from you.