![\"Plankton](\"https:\/\/3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com\/state-of-security\/wp-content\/uploads\/sites\/3\/Picture1.gif\")
<\/figure>\n<\/div>\n![\"Fire](\"https:\/\/3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com\/state-of-security\/wp-content\/uploads\/sites\/3\/Picture2.gif\")
<\/figure>\n<\/div>\n![\"critical](\"https:\/\/3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com\/state-of-security\/wp-content\/uploads\/sites\/3\/levar.gif\")
![\"The](\"https:\/\/3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com\/state-of-security\/wp-content\/uploads\/sites\/3\/tenor.gif\")
<\/p>\n<\/div>\n<\/div>\n
Having worked within the cyber security and technology industry for over a decade, I have seen brilliant examples of leadership and not-so-lovely managers. Over time, I have noticed the difference is found in how the senior person approaches their role. Leaders are people who strive for a positive experience, are able to delegate and are willing to let colleagues work in their own way, all whilst retaining a holistic view that is forward-looking.<\/p>\n
As with all industries, it can be difficult to understand from the outside what it truly takes to get to a specific position or what the role itself actually requires. It is also important to note that no role is created by a cookie cutter \u2013 diversity of skills, experiences and more can enhance the organization\u2019s strategy and coverage.\u00a0In fact, research carried out by\u00a0Mckinsey & Company titled \u201cDelivering Through Diversity\u201d<\/a>\u00a0from 2018 revealed that gender diverse senior leadership led to a 20% profit increase \u2013 ethnic diversity even higher. Within security, diversity of thought, skills, points of view, experiences, gender, culture and more bring layers of knowledge, considerations and insights that others might not consider.<\/p>\n The role of a Chief Information Security Officer (CISO) is no exception to the need for diverse persons. What I found from speaking to contacts within the CISO position was that it is quite easy to find one type of CISO \u2013 that expected cookie-cutter with similar backgrounds \u2013 but difficult to find diverse persons.<\/p>\n Thankfully, I have the privilege knowing many excellent persons who have broken that mold and who became truly excellent CISOs focused on empowering their teams and bringing security to the forefront of their products and\/or service.<\/p>\n \u201cMy job is to ensure cross functionality does not turn into dysfunctionality\u201d \u2013\u00a0Ian Thornton-Trump<\/a>, CISO at Cyjax.<\/p>\n The number one response I got from my contacts was that their role is to keep up to date on security news and trends in order to identify how that may or may not affect the organization. Taking those industry insights, a CISO then translates and communicates that knowledge across the different teams and departments.<\/p>\n \u201cIn addition to making sure I\u2019m up-to-date with any relevant, emerging threats and that any in-flight projects related to current strategy are still ticking along, I work to stay on top of the plethora of emails related to daily BAU activities.\u201d \u2013\u00a0Becky Pinkard<\/a>, CISO at Aldermore Bank PLC.<\/p>\n One response that stood out to me was\u00a0Christian Toon<\/a>, CISO at Pinsent Masons, who shared that a critical piece of his role is ensuring the team\u2019s well-being and how enabling them to succeed is actually the key to his own success.<\/p>\n \u201cMore recently the team, that they have what they need (approval, resources, strategy, direction, moral support, mental well-being, &c) to be successful,\u201d he said.<\/p>\n One person I always enjoy getting insights from is my long-time friend Ian Thornton-Trump, CISO at Cyjax. What is Ian\u2019s daily focus?<\/p>\n Coffee, read intel reports flag items of interest to the Threat Intel Team to make sure they are on top of things \u2013 they generally are. Take a gander at social media and plunge into the work of the day be it media commentary, reporting or marketing campaign related \u2013 very unlike CISO but we are a start-up so everyone contributes cross functionally. My job is to ensure cross functionality does not turn into dysfunctionality, so I work with the COO very closely. I also have a role in product development and public advocacy for the importance of CTI as a robust, effective and inexpensive solution to help against cyber-crime.<\/p><\/blockquote>\n Whilst each response is different, we can already see a theme throughout \u2013 the role of a CISO is taking that holistic view of the organization. They\u2019re about knowing their team and empowering them to achieve what they need whilst knowing what\u2019s next in terms of the threats confronting the organisation.<\/p>\n <\/p>\n <\/p>\n<\/div>\n<\/div>\n Whilst you might feel we\u2019ve answered this already, I was curious what my connections thought their purpose was. Speaking with\u00a0Wolfgang Goerlich<\/a>, Advisory CISO at DUO Security, he explained that, \u201cThe CISO negotiates with peers and business partners. The CISO marshals support, budgets and people. The CISO protects the organization by securing the technology that enables the organization.\u201d<\/p>\n Becky\u2019s response was within the same thread: \u201cThe true purpose of the CISO is to interpret and align the company\u2019s risk appetite with security opportunity to create and then drive the best strategy for securing the business and ultimately to ensure the right security for customers.\u201d<\/p>\n To me, both Wolfgang and Becky\u2019s responses go back to CISOs having that holistic view. It\u2019s about taking stock of all the little complexities along the way, ultimately lining them up and appropriately assessing them.<\/p>\n Ian highlights this further: \u201cLeadership and awareness of what is going on, why it\u2019s going on and who may be victimized by the events unfolding. \u201c<\/p>\n You may have heard the following many times: \u201cThe more senior your role, the less hands-on\/technical you can be.\u201d However, I found an interesting point that both Becky made.<\/p>\n My cyber security career consisted of hands-on, technical roles for the first 10 years, which has helped me immensely as my career has grown on the management and CISO side \u2013 I think this is my strongest area, as a result.<\/p><\/blockquote>\n Whereas, Wolfgang tells us if he could \u2018go back\u2019 and focus on one skill before \u2018leveling up\u2019 to a CISO, it would be on specializing.<\/p>\n It\u2019s fashionable to talk about the C in CISO. The CISO is a business executive first, a technologist second. That\u2019s true and it\u2019s often said. The longer I\u2019m out of the trenches, the more difficult the technologist aspect of the job becomes. I would level up on Infrastructure-as-a-Service and Software-as-a-Service security.<\/p><\/blockquote>\n Meanwhile, Christian sees the value of his interpersonal skills and understanding people: \u201cI\u2019ve recently perfected the perfect home brew ale, oh wait, security thing\u2026 for me it\u2019s all about the soft skills \u2013 bringing people together to achieve what needs to be done to best secure the business.\u201d<\/p>\n At times, being able to see through what someone is saying, breaking down the words and reading between, is Ian\u2019s greatest asset. he shares.<\/p>\n Is bulls**t detection on the list? Understanding the noise of FUD to discern an interesting event or product in the marketplace. There is a lot of FUD to sort through, be it an article that vastly overstates the \u201cdanger\u201d of a new vulnerability or a vendor that claims they are the 100%, well, anything. Sure, with 20+ years in the industry and a lot of time in a uniform, I\u2019ve picked up a few tips and tricks, but at the end of the day, I would say I\u2019m adaptable, and adaptability helps build an\u00a0agile<\/a>\u00a0organization.<\/p><\/blockquote>\n If you could go back and focus on one skill before \u2018leveling up\u2019 to a CISO, what would it be?<\/p>\n Becky and Ian took the opposite views to focus more on the risk and team management skills. Here\u2019s Becky.<\/p>\n I never ran a risk function, so I\u2019d wish to have spent more time in this area before landing the CISO role. While I\u2019ve had probably hundreds of risk-based conversations throughout my career prior to the CISO role, the language and slant is different from the CISO lens. I think experiencing ownership of that function in the past would have helped me to feel more comfortable going into the \u201cdeep end of risk\u201d in the CISO shoes!<\/p><\/blockquote>\n \u201cWow tough one,\u201d said Ian. \u201cCertainly, it would not be technical certs. I\u2019ve got a bunch of them, but as I think about the question,\u00a0I would say more opportunities to build teams. Most of my experience has been gained from ad-hoc team management as either an incident handler or on a security project or sec ops.\u201d<\/p>\n Whilst your journey in the career is definitely going to affect where your expertise is and ultimately where you wish you had more experience in, the constant throughout my discussions were:<\/p>\nOn a typical day, what is your focus:<\/strong><\/h2>\n
What being a CISO really is:<\/strong><\/h2>\n
![\"All](\"https:\/\/3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com\/state-of-security\/wp-content\/uploads\/sites\/3\/Picture4.gif\")
<\/figure>\n<\/div>\n![\"Do](\"https:\/\/3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com\/state-of-security\/wp-content\/uploads\/sites\/3\/Picture3.gif\")
<\/figure>\n<\/div>\n![\"Fernando](\"https:\/\/3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com\/state-of-security\/wp-content\/uploads\/sites\/3\/ferdinand.gif\")
![\"Bernie](\"https:\/\/3b6xlt3iddqmuq5vy2w0s5d3-wpengine.netdna-ssl.com\/state-of-security\/wp-content\/uploads\/sites\/3\/bernie.gif\")
What is the true purpose of a CISO?\u00a0<\/strong><\/h2>\n
What area would you say you are best in?<\/strong><\/h2>\n
\n
My view is information security is:<\/strong><\/h2>\n