What in the World Is a CISO?

Whilst employment has taken a downward curve over the last year or so, there are a variety of approaches I use when applying for a role to help my CV stand out. One key point is knowing what the job entails before submitting my cover letter and CV. This allows me to tailor my message effectively. Additionally, it enables me to find positions that I might not have originally considered. One position I think more people should be aware of is a CISO. What does this actually mean – besides being made redundant when a breach is announced? I have personally worked within a CISO-as-a-Service position, but I wanted to get some more insight from those who are working in the trenches daily in an in-house CISO position. Below is what I learned through speaking with some brilliant contacts:

What I thought being a CISO was:

Having worked within the cyber security and technology industry for over a decade, I have seen brilliant examples of leadership and not-so-lovely managers. Over time, I have noticed the difference is found in how the senior person approaches their role. Leaders are people who strive for a positive experience, are able to delegate and are willing to let colleagues work in their own way, all whilst retaining a holistic view that is forward-looking.

As with all industries, it can be difficult to understand from the outside what it truly takes to get to a specific position or what the role itself actually requires. It is also important to note that no role is created by a cookie cutter – diversity of skills, experiences and more can enhance the organization’s strategy and coverage. In fact, research carried out by Mckinsey & Company titled “Delivering Through Diversity” from 2018 revealed that gender diverse senior leadership led to a 20% profit increase – ethnic diversity even higher. Within security, diversity of thought, skills, points of view, experiences, gender, culture and more bring layers of knowledge, considerations and insights that others might not consider.

The role of a Chief Information Security Officer (CISO) is no exception to the need for diverse persons. What I found from speaking to contacts within the CISO position was that it is quite easy to find one type of CISO – that expected cookie-cutter with similar backgrounds – but difficult to find diverse persons.

Thankfully, I have the privilege knowing many excellent persons who have broken that mold and who became truly excellent CISOs focused on empowering their teams and bringing security to the forefront of their products and/or service.

On a typical day, what is your focus:

“My job is to ensure cross functionality does not turn into dysfunctionality” – Ian Thornton-Trump, CISO at Cyjax.

The number one response I got from my contacts was that their role is to keep up to date on security news and trends in order to identify how that may or may not affect the organization. Taking those industry insights, a CISO then translates and communicates that knowledge across the different teams and departments.

“In addition to making sure I’m up-to-date with any relevant, emerging threats and that any in-flight projects related to current strategy are still ticking along, I work to stay on top of the plethora of emails related to daily BAU activities.” – Becky Pinkard, CISO at Aldermore Bank PLC.

One response that stood out to me was Christian Toon, CISO at Pinsent Masons, who shared that a critical piece of his role is ensuring the team’s well-being and how enabling them to succeed is actually the key to his own success.

“More recently the team, that they have what they need (approval, resources, strategy, direction, moral support, mental well-being, &c) to be successful,” he said.

One person I always enjoy getting insights from is my long-time friend Ian Thornton-Trump, CISO at Cyjax. What is Ian’s daily focus?

Coffee, read intel reports flag items of interest to the Threat Intel Team to make sure they are on top of things – they generally are. Take a gander at social media and plunge into the work of the day be it media commentary, reporting or marketing campaign related – very unlike CISO but we are a start-up so everyone contributes cross functionally. My job is to ensure cross functionality does not turn into dysfunctionality, so I work with the COO very closely. I also have a role in product development and public advocacy for the importance of CTI as a robust, effective and inexpensive solution to help against cyber-crime.

Whilst each response is different, we can already see a theme throughout – the role of a CISO is taking that holistic view of the organization. They’re about knowing their team and empowering them to achieve what they need whilst knowing what’s next in terms of the threats confronting the organisation.

What being a CISO really is:

What is the true purpose of a CISO? 

Whilst you might feel we’ve answered this already, I was curious what my connections thought their purpose was. Speaking with Wolfgang Goerlich, Advisory CISO at DUO Security, he explained that, “The CISO negotiates with peers and business partners. The CISO marshals support, budgets and people. The CISO protects the organization by securing the technology that enables the organization.”

Becky’s response was within the same thread: “The true purpose of the CISO is to interpret and align the company’s risk appetite with security opportunity to create and then drive the best strategy for securing the business and ultimately to ensure the right security for customers.”

To me, both Wolfgang and Becky’s responses go back to CISOs having that holistic view. It’s about taking stock of all the little complexities along the way, ultimately lining them up and appropriately assessing them.

Ian highlights this further: “Leadership and awareness of what is going on, why it’s going on and who may be victimized by the events unfolding. “

What area would you say you are best in?

You may have heard the following many times: “The more senior your role, the less hands-on/technical you can be.” However, I found an interesting point that both Becky made.

My cyber security career consisted of hands-on, technical roles for the first 10 years, which has helped me immensely as my career has grown on the management and CISO side – I think this is my strongest area, as a result.

Whereas, Wolfgang tells us if he could ‘go back’ and focus on one skill before ‘leveling up’ to a CISO, it would be on specializing.

It’s fashionable to talk about the C in CISO. The CISO is a business executive first, a technologist second. That’s true and it’s often said. The longer I’m out of the trenches, the more difficult the technologist aspect of the job becomes. I would level up on Infrastructure-as-a-Service and Software-as-a-Service security.

Meanwhile, Christian sees the value of his interpersonal skills and understanding people: “I’ve recently perfected the perfect home brew ale, oh wait, security thing… for me it’s all about the soft skills – bringing people together to achieve what needs to be done to best secure the business.”

At times, being able to see through what someone is saying, breaking down the words and reading between, is Ian’s greatest asset. he shares.

Is bulls**t detection on the list? Understanding the noise of FUD to discern an interesting event or product in the marketplace. There is a lot of FUD to sort through, be it an article that vastly overstates the “danger” of a new vulnerability or a vendor that claims they are the 100%, well, anything. Sure, with 20+ years in the industry and a lot of time in a uniform, I’ve picked up a few tips and tricks, but at the end of the day, I would say I’m adaptable, and adaptability helps build an agile organization.

If you could go back and focus on one skill before ‘leveling up’ to a CISO, what would it be?

Becky and Ian took the opposite views to focus more on the risk and team management skills. Here’s Becky.

I never ran a risk function, so I’d wish to have spent more time in this area before landing the CISO role. While I’ve had probably hundreds of risk-based conversations throughout my career prior to the CISO role, the language and slant is different from the CISO lens. I think experiencing ownership of that function in the past would have helped me to feel more comfortable going into the “deep end of risk” in the CISO shoes!

“Wow tough one,” said Ian. “Certainly, it would not be technical certs. I’ve got a bunch of them, but as I think about the question, I would say more opportunities to build teams. Most of my experience has been gained from ad-hoc team management as either an incident handler or on a security project or sec ops.”

Whilst your journey in the career is definitely going to affect where your expertise is and ultimately where you wish you had more experience in, the constant throughout my discussions were:

1. Hands-on experience with technology is brilliant and will enhance your understanding in order to better understand the problems your organization faces and rate the risks proportionately.
2. Most importantly, people matter, your team matters and the relationship you build with them affects your success.

My view is information security is:

People, process, and technology – but people are first for a reason.

Taking a bit of a different view, and actually in line with the whole purpose of my writing this article to begin with, Christian shares, “If I could go back, I wouldn’t want to level up. I’d want to start sooner. A misguided youth didn’t open my eyes to white hat security until very late, let alone the idea that I could even make a career out of it. But an area I wish I knew more about is mental resilience and emotional intelligence.”

Reality is, there is no perfect CISO; there is no true cookie-cutter for either the role or the person. I think organizations would massively benefit from a variety of persons pursuing this position, adding that context to industry trends, handling the team effectively and bringing insights from their industry experience. This can be either with an in-house or vCISO position. In order to achieve this, organizations will be required to ensure their hiring process allows for diverse opportunities. Targeting diverse persons who might be a strong CISO but may not originally have considered this is most interesting to me.