SentinelOne has partnered with some of the most successful and acclaimed CISOs to create a blueprint for success. We are proud to launch our second ebook in the “90 Days – A CISO’s Journey to Impact” series – How to Drive Success.
Chief. Information. Security. Officer. The person in charge of protecting an organization’s information assets. The job title sounds so simple, even straight forward, and once upon a time it might have even been an accurate description of the role. It used to be enough to make sure all patches were up to date, network firewalls were in place, intrusion detection set-up, anti-virus installed, and everything on the network properly configured, locked down, and hardened. Being a CISO was primarily technical in nature, but times have changed. Realistically, the only thing unchanged about the CISO job is the title.
Today, the responsibilities and skill-set required of a contemporary CISO have become much broader, all encompassing, and far more critical to the smooth running of the business. CISOs often require familiarity with new and highly sophisticated technologies such as Software Defined Networking, DevOps, Serverless, Containerization, IoT, Virtualization, Machine Learning, and Next-Gen everything in order to protect them. Not to mention The Cloud and all of its many facets. Then there is an ever expanding attack surface created by an explosive number of new users, more data, and more devices needing to be safeguarded. The threats to the enterprise posed by organized cyber-crime, nation-state actors, and even hacktivists are very real and an ever present way of life — 24x7x365. Then many CISOs have to interact not only with their internal teams on technical matters, but also with the board of directors, journalists, regulators, politicians, customers, vendors, and partners on a wide variety of business level issues. The role of a CISO is certainly not for the faint of heart, but the multifaceted demands of the role are also why many find it so attractive.
Perhaps the best part of being a CISO job is change. Every day there is something different going on. The business is developing new products and services with new technologies, the attack techniques the bad guys are employing to hack them are advancing, and at any moment the job might kick in to a higher gear should an incident spring up expectedly. If you’re not learning and teaching every day, you and your team will quickly fall behind. That’s simply the nature of Information Security in general.
The major drawback is that a CISO’s contributions are always difficult to quantify and justify in the ultimate language of business — dollars and cents. This is especially true when through skill and hard work, you have everything under control, nothing unexpected has happened, and your value is questioned. There never seems to be a ‘win’ condition; you’re only noticed when failure strikes. If things do go wrong, such as a breach, then you’re to blame as the designated “chief scapegoat officer”. And of course everyone around wants to tell you how to do your job. There will always be others trying to convince you of what’s most important and how what your doing isn’t enough. “Just buy this point solution.”
I’m not here for that. I’m here to share some thoughts about ideas for how to think about the role of a CISO, it’s place of importance in the larger world, and what personality traits make for the most successful candidates.
Bruce Schneier once said, “You can feel secure even though you’re not, and you can be secure even though you don’t feel it.” When it comes to being a CISO, we have to keep both of these in mind. The people we serve want to feel secure, and when they do, that’s of tremendous value to them. People need to feel that there is someone they trust that’s protecting them, and should things go wrong, that person will also handle it well. Trust is what the feeling of being secure basically comes down to. At the same time, much of what CISOs do will never been known, understood, or appreciated outside of their peer group, the people that actually make things secure. In many respects, security people exist behind the scenes; they are the world’s silent protectors.
One of my favorite movie quotes ever is in Sneakers (1992), where Cosmo says, “The world isn’t run by weapons anymore, or energy, or money, it’s run by little ones and zeroes, little bits of data. It’s all just electrons.” How profound. If you think about it, those who work in Information Security are collectively responsible for protecting the world’s most sensitive information, it’s biggest secrets, entire economies, and often even the life and liberty of the billions of people connected to the Internet. CISOs, the appointed leaders, represent the tip of the spear and the unsung heroes they rely on every day. While face down in spreadsheets, locked up in meeting rooms, and pouring over complex reports, let’s not lose sight of the larger mission and what we’re really here to do. To protect people. To protect the business. To protect the Internet.