What are You Looking for?

November 15, 2023

Why CISOs Don’t Want Tool Jockeys…And What They Want Instead

Recently I listened to a conversation between 3 CISOs about security hiring, and they made a painfully-direct statement about the kind of people they are looking for. It sparked 3 observations to consider, as you plan your career development priorities (these are not just relevant for security, BTW).

First, the statement: “I’m not looking to hire people who are Splunk certified, Carbon Black certified, whatever-certified. They don’t understand security, they understand tools. I need thinkers, not tool jockeys.”

3 observations:

  1. Being a tooling SME is not a bad thing. Many of us started out there, and some people stay there on purpose, because that’s what they love. Those kinds of skills will always be relevant, for as long as the tool/tech in question is relevant. Just don’t expect to be invited into strategic conversations, because those kinds of conversations require a different skill set.
  2. Doing things right (management), and doing the right things (leadership), are not the same things. At the security leadership level, leaders are not generally asking HOW questions (i.e. doing things right). They are asking WHY and WHAT questions (i.e. doing the right things).
    • WHY must we change, i.e. the visible and hidden factors driving evolution in mindset and approach.
    • WHAT capabilities and competencies must we develop/prioritize/improve?
    • HOW to land and sustain the operational aspects of change is where SMEs come in, but the strategic trajectory has already been set.
  3. When I reflect on the times where I’ve played a highly influential role in shaping the strategic direction of a security programme or partnership, it has rarely come down to my technical knowledge. The ability to synthesize the technical with business and security objectives and risk, and do so in a believable way, matters far more.

I am convinced that there is nothing more valuable…or more rare…than a business-centric security practitioner. Beyond a certain point in your career, your technical chops are assumed. The question mark is, what broader business value can you create?

If you aspire to influence at higher levels, make sure you prioritize the development of skills that are valuable and influential to non-technical leaders, just as much as you develop your technical skills.

Related posts:

  1. Honest Self-Reflection for Security Leaders, Post-Breach: 3 Important Questions to Ask Yourself
  2. What Should be the North Star for Your Career Focus?
  3. The Fish, the Fishbowl, and All the Things We Thought We Knew
  4. When To Say No To A Good Opportunity
  5. It’s Time to Retire “Attackers Only Have to be Right Once; Defenders Have to be Right 100% of the Time”, and Here’s Why

Leave a Reply

Your email address will not be published. Required fields are marked *