Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Security Leaders – Be Mindful What You Wish For

While serving as a security leader, how often have you heard or have yourself said, “If only the executives would pay attention to me?”

While serving as a security leader, how often have you heard or have yourself said, “If only the executives would pay attention to me?”

For years, security professionals and leaders in enterprises have begged to get noticed only to be seemingly dismissed as Chicken Little warning about a falling sky. Unheeded warnings, poorly understood risks, and lack of security input has created today’s climate of breach after breach.

Guess what? The executives are definitely paying attention now.

In fact, many of the security leaders I know and recently met aren’t just being noticed by their managers – the CIOs, the CTOs, and other direct managers – but also by their boards. As each additional disclosure hits closer and closer to home, CEOs and boards are bringing the CISO or their equivalent into the board room to have very serious discussions.

Two things are happening as a result.

CISO StrategyFirst, we have a lot – and I mean a lot – of newly minted CISOs. This is fantastic for the industry and people’s careers. This event raises the level of security in enterprises which had been previously lagging and helps drive better security presence and relevance across all industries which had previously lagged.

So, this is great! Unless you’re one of those CISOs who was the “security gal” or “senior security engineer” who suddenly finds themselves with executive-level responsibilities. The trouble here is that the conversations, tone, information and context are all dramatically different than what you’ve experienced until now. Your lexicon is no longer adequate to communicate effectively, and the tone of your discussions must change to adapt to boardroom-style discussions. This is a tough transition for many, and being given the CISO title doesn’t mean you are automatically given the ability to drive change.

Someone who has never been in a security leadership role before can easily confuse accountability for the ability to drive change. Being held accountable for the organization’s security is not a bad thing, but it can be career-ending if it doesn’t come with the ability to actually drive and enforce changes in behavior and culture. This is where not-for-profit groups like the Security Advisor Alliance bring tremendous value through mentorship programs and support for these newly appointed CISOs who find themselves in dangerous waters.

New CISOs should strive to understand their position in the organization and figure out whether they’re just the Chief Scapegoat, or if they are really tasked with improving their organization’s security. If the former, well… it’s time to polish off that ‘ol resume. If the latter, then it means you have a tremendous opportunity for you. Now comes the really hard part.

Advertisement. Scroll to continue reading.

Second is what I’ve now call the “so, now what?” problem. Your organization has suddenly found itself in need of a security overhaul security, and whatever the catalyst for that need, it suddenly falls to your shoulders. Now what?

If all you’ve been doing is pointing out problems, without developing solutions to these problems, you may be in for a bad time. I once worked for a very wise executive who taught me the value of “if you’ve come to me with a problem, you’d better have a proposed solution.” I try to pass on that motto. All too often security professionals aren’t taken seriously because we are seen as the problem identifiers. Detecting problems without proposing solutions is a bit like a doctor telling a patient they’re gravely ill then walking out of the room. Once you’ve identified the illness, let’s work on proposing a cure.

I fully recognize the root of the condition identified here, too. It’s quite simple to find brokenness in the world around us. Nearly everything that runs on electricity has software that powers its function. That software has flaws. Guaranteed. Finding flaws has gone from a hobby to a full-time job for many, and it’s a critical part of the world. You can’t solve a problem if you don’t know about it. However, finding flaws doesn’t actually guarantee that they’ll be fixed. Much like in the enterprise where writing up a risk report detailing everything wrong with a particular process or widget is fruitless if it does not come with an equally impressive proposal for solution.

I see this condition we’re experiencing now as a “be careful what you wish for” situation. So many of us want to be taken seriously. Now you’re standing in the spotlight, executives and board members asking you to give your “so what?” How will you protect this company? How will you keep our critical assets, employees and bottom line safe from attackers and those seeking to do us harm?

Your move.

In part 2 of this post, I’ll share some ideas of how security leaders in various markets and industry segments are preparing for the spotlight, and shining in it.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...