Getting to the top role in an industry comes with a fresh set of pressures – after all, with great power comes great responsibility.
In the case of the chief information security officer (CISO), this would apparently be the ultimate role for many to aspire to: it can allow budgetary control, building policies and strategies, people management and, potentially, a seat on the board.
However, when you get there, who do you ask for help? Who guides you to the top role and advises you when you get there? Whose advice do you seek about what to do, especially in the instance of an incident?
These questions came to mind while watching former Uber CISO Joe Sullivan speak at the Black Hat Europe conference last December, when he said aspiring professionals often contact him for his guidance when applying for jobs.
After all, a security professional with the experience of one of the biggest breaches of all time, including dealing with the Federal Trade Commission, and being fired by the CEO, should be a good sounding board for what works and what doesn’t.
Little black book of supporters
However, not every aspiring CISO has Sullivan’s mobile number, so are we providing enough support and even mentoring opportunities for those taking their steps into the top job?
Deloitte CISO Jitender Arora has shared his thoughts on career progression in a series of LinkedIn posts, and with a career in security leadership within financial services, he adds that he also gets approached by people who want to be a CISO.
Speaking to Computer Weekly, Arora likens the CISO role as to being an athlete where you train all year to gain the skills and strength and the mental resilience to go through a competition.
“In a CISO job, that test can happen tomorrow or in two years time, but you’ve got to be prepared to lead the people, and lead the function, but be able to handle the stress that comes along with this,” he says.
Ultimately, being a security leader is not just about learning security skills, but also life skills, and the fact that “no two days are the same and it brings a lot of stress with it”.
Arora says this comes down to preparation, how you are going to be (physically and mentally), and how you’re going to take care of yourself so that you can take care of everyone around you.
This leads to the point of who to ask when things are not going right and you need to seek advice. Arora says he has drawn inspiration from people where he has worked, and you can find leaders who inspire you in the way they talk and how they explain something.
“Inspiration is all around us, and we should take note of inspiration,” he says. He points out that you’ll hear something said or will have an experience – be it good or bad – and you can dissect it afterwards to understand what was done and said to understand what took away from it that you can act upon.
Building relationships
Bronwyn Boyle, CISO at PPRO, admits she’s been “very lucky” working in a number of financial services risk and security roles, and puts this down to being able to build relationships with people she has worked closely with. “You’re always learning from those who came before you. It’s very reassuring to have that option available,” she says, admitting she is also keen to pass knowledge on.
In her career so far, Boyle says one of the most positive things about the cyber security industry is that the CISO community is very supportive, pointing out several mentors who have helped her.
Bronwyn Boyle, PPRO
“I think it’s an awful lot for new CISOs to kind of get their heads around, and having folks who are willing to give you support, be that backstop to provide guidance and be a sounding board, is absolutely invaluable,” she says. “I’m very keen on paying it forward, so I’ve helped new CISOs on what worked for me and what didn’t work.”
Boyle admits that every person has their own individual experiences, but there are thematic topics where having voices, opinions and perspectives heard is really helpful.
As Arora says, there are going to be situations that you cannot prepare for, and Boyle talks about dealing with a cyber attack in a previous CISO role: she says that regardless of what you may have been trying to plan ahead for, you can end up in instances where you’re prepared, and others where events can happen simultaneously, which could be quite overwhelming.
Seasoned CISOs
With this in mind, it’s important to consider who you turn to when things go wrong – presuming that when you get to the position of CISO, you are not given a black book of contacts, both from a leadership perspective and who to turn to when in need of assistance.
Those leaders who have worked their way through the ranks, and have had a chance to work with more experienced CISOs, will be the most hardened and be able to survive through an incident.
Lisa Ventura, founder of Cyber Security Unity, says having a seasoned CISO as a mentor can pay dividends, as they are a goldmine of experience and knowledge: “Many CISOs often also have an executive coach and having one can help them develop leadership and communication skills. These are crucial to navigating the boardroom and being able to interact with senior management.”
Ventura adds that a successful CISO will cultivate a network of trusted advisers and leverage the experience of mentors, peers and industry experts: “This will help them to navigate the complexities of their role and make informed decisions that keep their organisations’ secure.”
Boyle says mentors can help with the common questions you will have in your early roles.
Ultimately, if there is a gap where people need advice, and there is a feeling that to be seen to be asking for help is a sign of weakness, we need to reduce that by ensuring there is mentorship and support. Boyle cited CISO social groups, where conversations can be held and people new to their industry vertical and make new connections and gain advice.
“For cyber incidents impacting multiple organisations, the security community is often an invaluable source of advice and support,” she says. “I saw it during Log4Shell and again with the recent ThreatViewer compromise.”
Another place where guidance and mentoring can be gained is via safe spaces. Thomas Odams is managing director of RANT Communities, who offer Chatham House Rule events. He says that working in cyber security, especially in a position of leadership, is a lonely posting in many businesses.
“When tasked with keeping the crown jewels safe and remaining aware of vulnerabilities and risks, finding a safe space to share best practice and more importantly, esprit de corps with those in similar roles from other organisations, is essential to surviving and thriving in this industry,” he says.
He adds that the attitude of knowing you’re not alone in having this problem, accompanied by a rush of relief, is a common reaction post-sharing these experiences.
Odams says “honest, open and informal sharing among our members” has always been championed, and their events are often particularly blessed with the support of our CISO community who recommend members of their team to join specific events with topics relevant to their current projects, allowing them to benefit from the collective wisdom of their experienced peers.
Show no sign of weakness
Arora says he has never come across “a single person who has said no” when asked for advice, as “they are very happy to share their wisdom, as they have such a wide angle and diverse view, and they know what good looks like”.
Arora acknowledges the issue of asking for help being seen as a sign of weakness, and there is a persistent fear that if you ask for help, “you will be exposed as the imposter syndrome kicks in”.
He says that to ask for advice and help should be an honourable effort, and that people are scared of asking for help as they are of asking for feedback, but that is part of being a CISO. It is not about not knowing, it is about learning.
He adds that is why he was led to share advice on LinkedIn, as people do not talk about fundamental things. “Everyone struggles – don’t tell me a CEO of a Fortune 500 company does not have their sign of weaknesses and say, ‘I just hope I have not messed up and made a decision that will cost this company a significant amount of money’.”
Building networks is such a key part of any career, and it’s important that support is offered and communities are open and welcoming. With this human factor open and prepared to offer advice, we could look to overcome some of the most common problems in cyber security strategy – what do you do when the worst happens?