The CISO is an organization’s top person in cybersecurity. Is that it? Is that the end of a CISO’s career progression?
SecurityWeek talked to the CISOs at Zoom and Thycotic – companies that are both front and center in the expanding remote working or work from home (WFH) culture. Jason Lee is CISO at Zoom Video Communications (Nasdaq: ZM). Joe Carson is the chief security scientist (CSS) & advisory CISO at Thycotic.
We wanted to know, first and foremost, is there any career path left for a CISO; or is there nowhere else to go. Is being a CISO effectively a dead-end job?
“It’s not a dead-end job,” said Carson. “You’ve reached the top of the pillar in one aspect of the business, but it’s not the only position a CISO can occupy.” He pointed to the CIO, “often considered a higher-level board or executive team member than the CISO.” A combined CIO/CISO position would give the CISO responsibility for the entirety of a company’s information, not just its security – but it is not entirely certain that CISOs would consider it anything more than a sideways rather than upwards movement.
Alternatively, suggested Carson, a very technically oriented CISO might have the opportunity to move into a chief technology officer (CTO) role. The difference between the two opportunities is that the CTO role would require an almost visionary approach to emerging technology, while the CIO role would require a deeper business perspective.
Lee has already seen a developing trend for the CISO to take over the CIO role. It’s a concept not unknown to the business world, where a subsidiary becomes so successful that it takes over or possibly becomes more important than the original parent organization.
“There’s a couple of cases,” he said, “where the CISO is starting to take over the role of the IT organization and IT responsibilities.” What interests Lee is that the CISO’s risk management expertise is being added to IT operations – a technical CISO with added risk management expertise becomes an attractive option for the modern CIO.
The concept of risk management – something all CISOs must understand – is the important element. We have seen many times in this series that the modern CISO needs to understand and be fully immersed in the business side of the organization. So, the modern CISO needs to be technically minded, deeply involved in all aspects of the business, and conversant with the principles and practice of risk management. That is almost a job-description for a Chief Risk Officer – and CRO, one of the most senior positions in any company, is certainly a potential aspiration for any career-minded CISO.
For now, the most common reporting hierarchy for the CISO is to the CIO. This remains a complex issue. The diplomatic response from many CISOs is they don’t mind who they report to so long as there is a good strong supportive relationship between the two. But that is not always possible. The CISO needs that relationship to perform his or her job. The CIO does not need the CISO to manage the IT and infrastructure side of things. So, the onus is one-sidedly on the CISO to make the relationship work.
The problem is a potential conflict of interest caused by different priorities. The CIO might wish to do something new to improve the business of information which the CISO considers to create a security risk. “What you really don’t want,” says Carson, “is your superior sacrificing security for the business priority.”
He offers two solutions – the first being reactive and the second being more proactive. “I always recommend that no matter what you do, you always stick by your ethics, you stick by basically what is the right thing to do,” he explains. That means, in the face of a veto, you document your recommendations. “So, if something does happen, you do have the ability to go back and say, this was our recommendation, this is what we recommended. It was vetoed.”
The more proactive solution is to have a decision-making committee. While the CISO may technically still report to the CIO, security decisions should be made by a group of people ideally comprising the CEO, the CFO, the CRO, and the CIO. If this arrangement does not already exist, the CISO should attempt to engineer it. “All of them together should be finalizing the recommendations of the CISO,” said Carson. “You’ve then got basically, a major part of the executive board team, who all have some responsibility to the security of the organization, providing their weight into the decision. It removes any simple conflict of interest between the CISO and CIO.”
Recruitment and diversity
Recruitment remains a problem area for the CISO. The cyber skills gap is well-documented ‒ meaning the CISO must often choose between lowering his sights or leaving the vacancy open. Different CISOs have evolved different approaches to resolving this issue.
“I have a philosophy on hiring,” said Lee, “and it’s really looking at behaviors. A person doesn’t necessarily need to have a computer science background, doesn’t have to have that hardcore technical background to be able to come into the roles, and even leadership roles, in my organization.”
‘Potential’ is key for Lee. “I’m looking for somebody that comes in with the learner mindset,” he continued. “Technology is constantly changing in security, and you’ve got to want to keep learning and keep moving with it. So, I’m not necessarily looking for somebody that’s a technical expert ‒ I’m looking for somebody who’s interested in the technology and excited by it; and can show the ability to contemplate future technology.”
But he added, “The other thing I’ve found is it is critical to have strong collaborators and communicators. Those soft skills are necessary because security resides in so many different parts of the organization. I’m currently under the COO, but I’ve seen the role under Chief Legal Officer, the CIO and other departments. Either way, it means the security team must collaborate really well with counterparts in Engineering, in IT, and in all those organizations. So, to me, somebody who can build those relationships is far more important than somebody who has a whole long list of certifications.”
Lee is really talking about another buzzword in security ‒ diversity. Diversity often focuses on the need to get more women involved in security. This is important, but diversity itself is much wider. The modern CISO seeks to incorporate a wide range of people into the security team: ethnicity, religion, academic and social background as well as gender. The theory is that diversity brings different ways of looking at and solving problems ‒ and that can only be good.
“Diversity is more important today than it’s ever been in my entire time in the industry,” agrees Joe Carson. “It’s not just about technology anymore. Fifteen years ago, it was just technology. But now it’s so much beyond that – you must have communication skills; you must have someone who understands user behavior; you must have someone who understands about brands and impact; you must have a risk person. Diversity in the industry is so essential that it’s no longer about just having good technical skills. When you have a cyberattack or a cyber incident, or a ransomware attack, it requires a huge amount of diversity of skillsets, and backgrounds of people to be able to handle that.”
In today’s world, he suggests, where technology is everywhere and everyone is connected, “diversity is essential for the business to ensure it has what I call a 360 security strategy, rather than just an old traditional technical strategy.”
So, we asked him the ultimate question for diversity in recruitment: would you hire a reformed hacker?
“Absolutely, yes,” he said. “Hackers have a unique perspective on the world.” He stresses, however, that the CISO would need to take extra concern over vetting, be certain there’s an adequate level of mutual trust the two, and ensure constant visibility into the work being done.
“But, absolutely yes,” he continued. “The best people in the organization to help you detect attacks are previous victims and hackers. Victims of attacks are sometimes your best advocates within the organization. And former hackers are your best threat hunters, able to determine when something suspicious is happening. So absolutely, hire them. They’re the people that have the perspective into thinking like a hacker; and I think all organizations must have at least one person who has that mindset.”
Attributes of the modern CISO
Being CISO is clearly a complex and difficult job, demanding specific personal attributes. Carson lists four: leadership, communication skills, ability to translate between technical and business, and the ability to listen. Leadership involves being on top of everything all the time, so that you know where to find anything at a moment’s notice.
Leadership is an interesting one: are you born with that quality or is it something you can learn? “It is something you can learn,” says Carson. “Some people learn it faster than others, but it’s something that can be taught and learned.”
He suggests getting a leadership mentor. “When I was young,” he said, “I was an introvert and very shy. I was struggling to stand up in front of a crowd and speak.” To solve the problem, he surrounded himself with great leaders. “I looked for people who were great at that area, I watched and learned, and I absorbed some of those skills into my own personal capabilities. So absolutely, leadership is not something you are born with, it’s not genetic. However, depending on the person’s personality, it can be learned quicker or slower. It’s the acceleration of learning which is critical, how fast you can pick it up.”
Lee agrees that leadership can be learned. “There are many kinds of leadership. You need to understand what your strengths are, and you can build on those strengths. One of my favorite books is Marcus Buckingham’s Now, Discover Your Strengths. And I’m a huge believer in the concept of ‘servant leadership’. When I’m talking to my team I like to ask, ‘how do I enable you to work faster? Do you have any roadblocks? What do you need?’. So, I feel I’m empowering the team, because I’m really just a conduit making sure that the security program is moving forward, and the partnership across the company is going well. So, Servant Leadership is a big, big thing that I like to focus in on.
“But it takes time to hone these skills, and just because you’re a people-manager, doesn’t make you a leader. You don’t even have to be managing people to be a leader.”
From Carson’s remaining attributes, communications and interpreter go together. “You need to have very strong communication skills,” he said. “But that’s not enough on its own. Within that communication you must also be a good interpreter ‒ you must be able to translate very technical issues into good business speak, and vice versa.” To achieve this level, you need Carson’s fourth attribute: to be a good listener in order to understand.
“In my early years,” he said, “I tried spending a day or two in the employees’ situation, to understand what it’s like in their chair, to understand what it’s like to walk in their shoes, and get a feeling about – the critical decisions they have to make on a day-to-day basis. It’s when you put yourself into that scenario that you start to understand your job is not security ‒ your job is to help others be successful, while at the same time reducing the risk against the business.”
Lee also agrees with the need for similar communication/interpretive skills. “Being able to communicate that business context and being able to build really strong relationships with all your peers across the organization are really important. I have a fantastic relationship with the president of Engineering at Zoom. We’ll have meetings where literally our hats are switched ‒ he’s approaching things from the CISO perspective, and discussing it, and I’m doing the same from the technology side. Being able to build that sort of strong relationship, where you can switch and go back and forth with each other on it is, well, really critical!”
The remaining attributes for Lee are to be adaptable and able to move fast. “I think all the CISOs going through the pandemic have had to do this, or have struggled if they can’t adapt.”
Advice: received and given
Part of listening is listening to good advice; and part of communicating is giving good advice. The best advice Carson ever received came from Brian Honan, who was his manager 22 years ago ‒ and is still a mentor today. “I’m a techie,” explained Carson, and I’m also a perfectionist. Artists are often perfectionists while working on a new painting ‒ they’re not comfortable with other people seeing their work until it’s finished and perfect. But that can take a long time and the approach doesn’t work for a CISO. Brian’s advice to me was, ‘Joe, I know you’re a perfectionist, but you have to open up and let other people see what you’re working on, because their feedback is important.’”
The advice Carson would give to aspiring security leaders today (advice he was given some 15 years ago) is the most important asset we have in this world is ‘time’. “We have to make sure that we make the most efficient use of our time. If it takes me three hours to do something, and it takes a colleague one hour, I should delegate to the colleague who can do it faster. Time is our most valuable asset ‒ don’t waste it.”
The best advice that Lee ever received was wrapped in a story from an earlier manager, but also stresses feedback. The manager was preparing for promotion, and went to talk to his boss. The boss said there were three things he needed to work on. Given the first one, the manager pushed back and suggested the boss hadn’t understood the context of why he was there. The boss simply replied, ‘Okay, we’re done.’ The manager asked why, when there were two other areas he should work on. “It’s clear,” said the boss, “that you’re not ready to hear feedback.”
The moral that Lee took from this: “When you get feedback,” he said, “always accept it as a gift designed to make you better. You may not like it, it may taste bad, but it’s always something worth thinking about. Think about how to be constructive with it, and take it. Don’t defend your position, just accept the feedback, and learn from it. The other part of this is to make sure that your manager is giving you feedback and keep asking for feedback. It’s important for your development.”
Lee would offer the same advice to others, but would have one more offering for anyone wishing to be a CISO or to advance a career in any other role ‒ the notion of being a multiplier. “As an individual contributor,” he explained, it’s good to be able to say, ‘I doubled the amount of work I did last year’. That’s fantastic, doing twice as much work! However, the person that succeeds the most is the one who helps five others double their work. Really being able to multiply and help others be successful, those are the ones that really succeed. Look for those opportunities to be a multiplier, always.”
In a slight variation from our usual question on future threats, we asked our CISOs what needs to be done to cope with the future threats. For Lee, the priority must be at the endpoint. “There’s no more perimeter to defend. Your endpoints, wherever they are, are the network edge.” He advocates the zero-trust model for protection.
“However,” he added, “you have to keep a focus on the ransomware and phishing so prevalent today ‒ which means you need a new style of learning and training system for all your remote workers. How do you make that engaging, inclusive and effective when you can’t bring everyone into the big auditorium? I’m a huge fan of gamification and having competitions around learning. We’ve got to keep pushing the bar in this area.”
Carson sees a similar future with a similar solution: the perimeter has gone, and remote working is here to stay. The pandemic accelerated the move to working from home and the associated increase in cloud and cloud applications. This is causing difficulties for the SOC. “Getting true visibility with that is difficult today,” he said, “because you might have different dashboards that only give you certain visibility into certain parts of the full estate. You might have a dashboard that shows your Cloud; you might have a dashboard that shows your own premises, a dashboard that shows certain devices. Getting full and central visibility is essential.”
On the endpoint, he said, “Remote working will become a permanent fixture for many organizations, and that means that Cloud and ‘use any device from any location’ will become the norm. This is really where the new perimeter is: identity, data, and access. That’s where security lies in the future, and those are the three important ingredients that organizations must invest in to ensure they can continue innovating and providing access.”
But there is also an unexpected benefit from the growth in WFH. “Organizations who historically might have traditionally had a perimeter office-based type of culture, will find they are now able to expand their talent pool ‒ because now they can have a global talent pool, rather than a location-based talent pool. Organizations now have a much wider and more flexible talent pool to hire from because the world is adapting to a remote working culture.”
Related CISO Conversations: