Every path taken to become a CISO looks a little different. But while all security leaders must share a few common traits — the ability to handle a crisis, communicate with executives, and manage a team, among others — the technical skills they need largely depend on the business.
"The CISO role still has so many definitions to it," said Rinki Sethi, vice president and CISO at Twitter, in a panel of security leaders at last week's Diana Initiative. The CISO who works for a startup may be expected to have highly technical skills, architect solutions, and work closely with the engineering team. The CISO at a large organization may be more risk-focused and have a better grasp of the business — and a level of business understanding, experts agreed, is crucial.
While there is a benefit to understanding technology, the most important thing for a CISO to understand is how that technology maps to an organization's business needs, said Ann Johnson, corporate vice president of security, compliance, and identity at Microsoft. Working closely with business peers, understanding their objectives, is equally important as technical aptitude.
"It's great if you're super technical, and you know crypto, and you can decode 50,000 lines of code and see the bad line, but if you can't talk to the board, and you can't talk to the team, and you can't manage, what's that really worth?" added MongoDB CISO Lena Smart.
Lena Smart. Credit: Lena Smart, MongoDB
Smart is seeing more CISOs who have that hybrid skill set: They are technical to a point and earn the respect of their peers and team, but they can also "dazzle the board," and they have the business acumen needed to get the job done and clearly communicate what they need done.
Staying Calm in a Crisis
CISOs' responsibilities may vary across organizations, but they will all be involved when a crisis strikes. How have these experts handled security incidents in the past?
"The last thing you want to do is start running around with your head cut off and freaking everybody out," said Sethi, who remembers taking deep breaths to calm her heart rate during the last incident she managed.
"It's all about maintaining calm, understanding the facts of what's going on, being able to communicate with the executive team, and setting boundaries so the team can go in and investigate, contain," she added. Caring for the team and making sure they're able to do their work in a healthy way while the CISO communicates updates to the execs are both essential, she said.
Hopefully, Sethi added, you'll have a crisis management plan in place, a point that Johnson, who was working at RSA during its breach 10 years ago, emphasized for security leaders. The plan should be tested and communicated, both in practice and throughout incident response, and with all people across the organization who need to be involved — not just the tech team.
"When you're doing an event it's more than just technical … you have legal concerns, you have public relations concerns, you have board concerns, you may have regulatory concerns," she said. "All of that needs to be in the plan so when you do hit this crisis, you're not in crisis mode. You're just working the plan that you've already developed and tested."
Smart, who previously served as the CIO and chief security officer for the New York Power Authority, described in an interview with Dark Reading the time when she brought together 60 agencies to run a large tabletop exercise in which the power grid would be under attack.
"No one had even thought of this before," she said. "We had to work a lot of different scenarios, and I think it opened everyone's eyes to, 'Oh my gosh this really could actually happen.'"
Her advice to leaders in a crisis is to "remain as calm as possible." When running tabletop exercises, Smart makes clear that it's a safe space. "You can shout and scream and blame people all you like, as long as at the end of it, we work out: This is your role, this is what will happen if the inevitable hits the fan," and create a playbook for what they need to do, she said.
Communication Is Key
CISOs know it's important to communicate with other people: their team, execs, the people across the business with whom they work. But what is the most effective way to do that? How should CISOs effectively communicate, and how do they wish people communicated with them?
Wendy Nather, director of advisory CISOs at Cisco's Duo Security, says the best thing that has worked for her is trying to find out in advance what people want to know. As an example, she pointed to risk discussions. The biggest gap she finds between the CISO and the C-suite is the agreement on how probable a given risk is, she noted.
"Trying to have that discussion with them about 'How likely do you think that is?' and walking through it with them in their language … If they give you the answer, they're more likely to believe in it than if you give them the answer," she said. Further, it's important to give people the information they want, not necessarily the things that are interesting to you, Nather added.
Johnson's communication tips are to know your audience — "Every company culture is different and every person you're communicating with is different," she said — and to tell a story with the information presented.
Microsoft, for example, is very data-driven, and depending on with whom you're meeting, you may need a stack of data to deliver your point. But regardless of the meeting, or the amount of data they have, the presenter needs to share the context around that information. What story is the data telling you? What three points do you want everyone to leave the meeting with?
"If you can focus on three things, start every conversation with that in mind — if it's a really data-driven organization, make sure your data supports those three things — and get those outcomes … That's how I try to drive every meeting at any level," she said.
Sethi, too, prefers conversations that are direct and upfront. CISOs often hear about issues across the company, she said. If there is a specific problem to be addressed or point to be made in a meeting, attendees should present that information first: not just the problem but their proposed solutions for solving it.
Leadership Based on Relationships
As Tracy Maleef, security researcher for the Krebs Stamos Group and moderator of the panel, quoted Rosalynn Carter: "A good leader takes people where they want to go. A great leader where they don't necessarily want to go, but ought to be."
The leaders on the panel all had their own experiences and advice when it came to managing teams. Building connections with employees is essential to becoming an effective leader, and trust and honesty are both at the foundation of those relationships.
"It's hard to influence or set a strategy, and get people on board if they don't trust you," said Sethi. "Trust is everything, especially for a role in security." She admitted making the mistake of going into a company with a 60-day strategy and zeroing in on its progress without focusing on her relationships there. When the execution wasn't going as planned, she took a step back.
"It made me realize, I have to slow down to really be effective, to then be able to move fast," she said.
A trusted relationship with employees can help when it comes time to have hard conversations, added Johnson. Some people know what they want to do in their careers; others aren't as sure. It can be tough to sit down with an employee and discuss how a role isn't the right fit for their skills, and they need to trust you in order to find a position that might be a better fit.
A couple of key challenges for CISOs is finding the individual who fits, in terms of both skills and culture, and finding ways to make security relevant across the organization. Smart has effectively done both with MongoDB's security champions program, one of her first initiatives at the company.
The "champions" are colleagues from different roles, on different teams, who volunteer their time to work with the security team and better understand security. These representatives then bring the concepts they learn back to their teams, where they're tasked with helping colleagues understand. It's a voluntary program with more than 80 members — and a waitlist.
"When people understand they have a real role to play and it's a really important role to play in security, that makes their jobs more enjoyable, I think," she explained in an interview. In addition to spreading awareness, the program has helped add to MongoDB's security team. Some members have switched roles after the program exposed them to security careers.