What are You Looking for?

October 3, 2023

Interacting With CISOs: 4 Tips for Security People

I love spending time with CISOs, and last week I spent two undistracted days with the CISO of a major global bank. It was a wonderful (and rare) opportunity, and it reminded me of a few key lessons worth sharing:

  1. Authenticity doesn’t guarantee success, but the lack of authenticity guarantees failure (JL Kerma): CISOs are surrounded by a constellation of people keen to leverage them for their own personal benefit: a new job, a public platform, a sales target, etc. It is rare (in life, and for CISOs specifically) to encounter people that pursue connection without ulterior motives/strings attached. Aspire to be one of those people.
  2. CISOs live the life most of the security industry just talks about on PowerPoint slides: In vendor-land, CISOs are just the people you need to convince to buy your stuff. But in the real world, security risks, skill shortages, the complexities of legacy vs. modern ways of working, etc. are not conceptual but day-to-day realities. CISOs are people who could find themselves in prison if they get it wrong, especially in heavily-regulated industries like Financial Services. They aren’t usually ignorant of the better/more secure ways of working that we advocate, but they aren’t naive about the true cost of change, either (i.e. it’s not just about the tech).
  3. They are normal people…just with a huge weight on their shoulders: I know they exist but I’ve yet to meet a CISO (and I’ve met a bunch) that wasn’t a down-to-earth, kind person. I have met plenty, however, who don’t come across that way at first—mostly because of #1 (or #4, below). In vendor-land, we have to earn the right to be heard.
  4. If you promise something, you’d better be able to deliver it (or kiss your credibility goodbye): As per #2, there’s no such thing as purely tech change; tech change is business change, which introduces risk and impacts people and processes (often people and processes that do not sit in the CISO’s org). CISOs have to work hard to influence other business stakeholders to embrace change, and that means if they’ve taken a chance on a solution, they are taking a big personal and professional risk. Be honest and up-front about what your products can do—and what they can’t.

Related posts:

  1. Why CISOs Don’t Want Tool Jockeys…And What They Want Instead
  2. Healthy Work/Life Balance: 4 Critical Questions to Ask Yourself—And Your Employer
  3. Honest Self-Reflection for Security Leaders, Post-Breach: 3 Important Questions to Ask Yourself
  4. The Fish, the Fishbowl, and All the Things We Thought We Knew
  5. Business Leaders: How to Help the Technologists to Help You

Leave a Reply

Your email address will not be published. Required fields are marked *