Throughout my career as both a CISO and a consultant serving CISOs in companies around the globe, I’ve learned that Chief Information Security Officers, regardless of their current title, reporting structure or how they got to the role, share many things in common; one of which being, they love to talk about their experiences. Recently, we gathered three of the most experienced CISOs I know to discuss all that, and much more.
Our panel included Darin Hurd from Guaranteed Rate, the second-largest mortgage company in the U.S., Lamont Orange of Netskope, a cloud security platform built to protect data and users everywhere, and Mike Zachman of Zebra Technologies, a global solutions provider driving efficiency for front-line workers.
All three panelists had participated in Protiviti’s CISO Next survey, which identifies security leaders as one of five “types” (Data Steward, Business CISO, Digital Native CISO, Connector CISO, Customer Advocate CISO) and suggests how each types’ traits defines and supports their leadership style. I’m a Business CISO, as are Darin and Mike, while Lamont’s survey results revealed he’s a Customer Advocate. But we all agreed that, had we taken the survey at the beginning of our careers, the results would have been vastly different, as the experiences that we’ve had over the years have shaped where we are today.
For current or future CISOs, here are a few highlights from our insightful discussion.
Does the CISO belong in the C-suite?
The unanimous answer among us was yes, although many organizations are not structured this way. “If security is important to a company, it has to be visible. It has to be a board room discussion, it has to be an executive-level discussion,” said Lamont. “I think when you’re operating from the trenches, four levels down from the CEO or the CIO and you’re trying to tell them about security and what we need to do with budgets…it’s just not effective.” Mike agreed, adding, “you have to act like you belong there. You have to have confidence and credibility in yourself — an executive presence. You also have to listen – a lot. That’s a good skill for any good leader, let alone any good CISO. Listen a lot to understand the company goals, the risk appetite and the priorities. And then come with solutions, don’t come with problems.”
“I’m a firm believer that every time you discuss a challenge with the executive team or the board, you also discuss a recommendation. You can’t be seen as the person who’s always complaining or always talking about what’s going to go wrong. You’ve got to be a positive and engaged partner with the business.” Being a CISO at the C-Suite level makes executive access and the conversation that much easier.
Is it important to have a security governance board?
Security is everyone’s responsibility and structuring a security governance board is one of the critical first steps in establishing a security-first culture across the organization. It is also often recommended that companies establish a technical council to ensure that the IT department can support the organization’s business goals.
Darin offered a glimpse into his experience: “We have a security council in place, made up of operations, tech, legal, security and privacy. The intention is to ensure we are aligned on all roadmap items which include major initiatives. Are we focused on the right things, the right objectives, the right outcomes? Are we heading down that path at the right velocity? This group provides air cover when we are making changes and expect there could be some friction and challenges when implementing new and emerging technology. Everything can be more effectively managed if the executives over those areas are aligned on the what, the why and the how.”
What are CISOs doing to build high-functioning teams?
On this topic, the responses were intuitive. Treat people well, respect their talents and compensate them fairly. “Meaningful work that’s recognized is key,” Mike said. “I want to be able to do interesting work; I want to know that my work and my opinions matter; I want to be able to have a career path to know how I can get where I want to go. That’s fundamental to any professional career. We must recognize that it’s a competitive market for talent and we must respond accordingly. Which means paying extra attention to our professionals.”
Darin said, “I think people want to be at a place where their opinions matter, where they can operate with some autonomy, that they’re working on cool projects, whether that’s cool tech or solving challenging problems.” Lamont added, “I think it’s important that leadership show they care about their teams.” He encourages team members to get away from their desks and go for a walk while doing one-on-ones each week. “Everyone is really focused, especially in this post-covid work paradigm. Our role is to make sure they don’t get burned out.” He believes it’s important to encourage team members to reach for the sky in their careers. “I tell my team, ‘if you want to do this, let’s go get it’.” Having a high-functioning team is critical to the success of the security program.
Where will the next generation of CISOs come from?
Our visionary panel felt the CISO Next framework will help organizations define the types of CISOs that will emerge in the next generation. “I think there’s going to be a crop that will be the digital native, who’ve grown up with technology and have hopefully grown up with security top of mind first and foremost,” Darin said, adding, “I think we will see a lot more of people who have a broader experience in technology, having grown up in cloud, DevOps, DevSecOps, etc.”
“At the end of the day,” Darin concluded, “our role is to create and sell a vision, find the resources, build a team, and deliver on the vision. Much of that is predicated on learning the business well and developing relationships well so that you can effectively target the vision you’re creating. Spending more time, talent and treasure on understanding those items, the relationships, the variables in the business, the cost drivers, the players, the market, and more goes a long way to help build your vision and ultimately make a large impact on the enterprise.”
Ultimately, our journeys are uniquely our own. Why not get to great more quickly than your peers?
Readers may also be interested in this blog: CISOs and Year Two of the Pandemic: How Did We Adapt and What Must Still Change?