Effective cybersecurity operations are as unique as the business models and technology choices of the companies they protect. Their creation and management are constantly complicated by a lack of common terminology and set of expectations, due mainly to the chaotic path our industry has taken since its relatively recent birth.
Cybersecurity leaders are similarly difficult to measure and understand because our language and their capabilities aren't clear, with the lack of a common nomenclature further reflected in the assessment of skill sets and qualifications. The mix of cybersecurity complexity, opaqueness, and urgency creates a vague picture of who can successfully lead and hold responsibility for the operation.
The relative immaturity of the cybersecurity function leaves insufficient organizational precedent for titles and hierarchy. Some organizations default to practicality: Whoever runs IT or the help desk becomes be the security leader. Others are interested in hiring a chief information security officer (CISO) who will manage the details of security that are unfamiliar to all other business leaders. Neither of these approaches are healthy.
The popular narrative around security is dominated by images of fear, uncertainty, and doubt. We're led to believe security is terrible, that breaches are inevitable, or that the right leader can render the organization invulnerable. This kind of absolutism usually comes from those new to the space who aren't yet well-versed in security. It's pervasive, it's incorrect, and it breeds insecurity for both the organization and the individual.
According to one report, stress (60%) and burnout (53%) were the largest personal risks CISOs face. It doesn't have to be that way. These difficulties start early, with CISO job postings that are poorly constructed, written by someone who doesn't have proficiency in security, and without clear descriptions of desired outcomes. A game-changing shift is a focus on those outcomes and the role that supporting business objectives play in evangelizing, and ultimately delivering, security. The resulting CISO is far better prepared to thrive in the organization and accelerate adoption and understanding of cybersecurity.
How does a CISO do that? Here's the advice I would offer — a guide to creating supporters, champions, and realistic expectations.
1. Set Expectations
The difference between successful leaders and those who burn out is communicating the realities of cybersecurity, from current measures to potential future states. The burnouts accept and even promote the expectation that they will heroically keep an organization from getting breached. History has painfully, and repeatedly, proven that the very best CISO cannot block everything. Successful, more balanced CISOs focus on improvements in protection and in demonstrating progress.
Successful CISOs are specific and transparent about what they will do in their role. They reinforce the reality that security is a team sport. These communications and collaborations are far more important than any technology purchase or deployment. Security budgets may have tripled over the past four years in the face of increasing cyberattacks, but a bigger wallet won't solve every problem.
When you create a common language and vision within your organization, everyone understands the topics when you evangelize security for a particular outcome. It also means that everyone knows what to do in the event of one of those fires. As a result, the stress levels will lessen, as will the frequency and pain of today's CISO burnouts.
2. Be a Business Executive First, Cyber Expert Second
The ability to solve business problems using security is what turns a security practitioner into a CISO. This is especially difficult for the organization that has asked a non-security IT professional to oversee security. That person may not understand that the role isn't just about being an elevated security expert. Understanding risk, tradeoffs, costs, and enabling business objectives is what creates successful relationships and outcomes
As an example, imagine a company expanding into Europe. That expansion is subject to General Data Protection Regulation (GDPR), and this will influence priorities and investments in areas that may not be as critical to a purely security-focused program. A valuable CISO recognizes the business need and context for the controls they recommend. In this example, fines could easily outpace the financial impact of a minor breach, and communicating those tradeoffs is good for the business and good for the reputation of the CISO.
In general, successful business leaders have an area of personal expertise, but thrive by enabling macro-objectives. As CISO, your security expertise should always make cybersecurity a business accelerator, not a hindrance.
3. Align on a Strategy
Long-lived and successful CISOs are intentional and calculated in their planning and decision making. Without a strategy, you're purely reactive, and you find yourself reacting to fires all day, every day.
Instead, when you design a security program, create a structure that allows you to manage by exception, not rule. This lights a torch to guide others in the organization, empowering them to excel. You'll quickly find that most people want to do the right thing. If you explain what that success looks like rather than point out their failures, you'll start building a security muscle, and security support, across the organization. Peers will know when to put their hand up and ask for help, and it will be easier for you to impact direction because you're not advocating the changes alone.
Be That CISO
When you've created this kind of culture, management expectations are rooted in reality, where everyone considers their effect on the organization's security posture, and CISOs aren't faced with surprises, resistance, and friction that make them want to quit. If you advocate with the clarity that most cannot find in cybersecurity, you will achieve the outcomes everyone is striving for.