The role of Chief Information Security Officer has been around for a couple of decades. And while many large companies still don’t have a dedicated CISO, fallout from prominent security breaches and the increasing visibility of information security in general might change that, soon.
How do executives deliver information security to their organizations? How did they develop the unique combination of technical understanding and leadership competency to lead cybersecurity departments? By chronicling the career journey of several cybersecurity executives, you will learn how they became executives and their approach to deliver security.
Building knowledge and getting hired
Success as a CISO requires technical expertise, robust communication skills and a strong network. There are many roads to the CISO role because the role is relatively new and security challenges evolve rapidly. Bernie Cowens, CISO at the Pacific Gas & Electric Company, started his security career in the U.S. Army where he focused on protecting physical assets and military intelligence. Troy Thompson, CISO at the Pacific Northwest National Laboratory, came up through the ranks supporting complex, high security research projects. Jeff Wright, CISO at Allstate, developed his expertise in network security. In every case, building a foundation of technical excellence was the essential first step to becoming a CISO.
Getting hired as a CISO is a complex process involving multiple participants. “I was contacted by a national search firm about six months before I started in the role,” says Cowens, who went on to interview with more than 20 people at the organization. Other organizations emphasized personal networking to find the right person. “Several years before I was hired, I met a few Allstate executives. Over time, we got to know each other and I was encouraged to join the organization,” says Allstate’s Wright. Multiple interviews and an extended hiring process are par for the course on the journey to the CISO’s office.
From reactionary to contributor
Information security professionals have an unfortunate reputation in some circles. “Traditionally, companies had a defensive stance where we waited for an attack to happen,” says Cowens. “I once came across a CISO who had the reputation of being “Mr. No” or “Dr. No” because he constantly had negative responses to the business,” says Sam Masiello, CISO at TeleTech. The negative, reactive reputation information security has obtained is slowly changing due to the leadership efforts of leading CISOs.
The proactive approach to information security leadership starts at the highest levels. “The board has taken an interest in cybersecurity and I am on the agenda of nearly every board meeting,” says PG&E’s Cowens. “There is strong interest in cybersecurity with the board, CEO and senior executives. I interact with them regularly on the topic: it is not an annual exercise,” says Wright. “Writing and presenting one page briefings on cybersecurity topics is one approach I take to support the board in becoming knowledgeable about security,” according to Cowens.
Viewing security as a matter of risk rather than a binary secure vs. not secure is an important attitude CISOs bring to the table. “I recommend adopting a ‘here’s how we can do that’ attitude for security leaders,” says Cowens. The consequences of failing to partner effectively with the business are substantial. “If you are perceived as a business obstruction, the business ‘go rogue’ and act without the support and advice of the security organization,” says Masiello who joined TeleTech as CISO in 2015.
Building a security culture
CISOs may build the best security teams and technology at their organization and still fail if culture is neglected. “Cybersecurity training is like going to the dentist: it is necessary but most people find it painful,” says Troy Thompson, who leads cybersecurity at the Pacific Northwest National Laboratory. When training is painful and unwelcome, non-security employees are unlikely to focus and adopt the new behavior.
Advice to aspiring CISOs
How exactly can you become a CISO if you have already built your security reputation? The ability to effectively communicate with a range of audiences is essential. “In my role, I discuss security matters with the board, with internal staff and government regulators,” says Wright. Addressing the security and privacy questions raised by regulators is rapidly becoming more important in insurance, banking, utilities and other highly regulated fields.
“Strong experience in IT operations adds to your credibility as a CISO. It means you will have walked a mile in their shoes,” adds Thompson. “Developing relationships with mentors and peers – including those at other organizations is valuable for career development,” Thompson says. “Given the highly sensitive nature of cybersecurity work, I suggest taking your time to build relationships over time,” he adds. Achieving success as a CISO requires the ability to quickly adjust to different audiences, take a risk based view of security and built strong relationships.