On LinkedIn I ran across a post from Mark Kraynak, a cybersecurity investor and advisor here in the Valley. His insights on how poorly CISOs communicate their value to the business that reminded me of something.
Here’s what Mark had to say…
Mark’s realization about the importance of the CISO as a good communicator harkened back to a moment in my own career.
About five years ago I was debating whether to start my own company or take a CISO role at one of a number of large, public companies. About half of the places where I was interviewing had CISOs in place already and were looking to replace them. The other half were actively looking for someone to replace their last CISO. The companies were a mix of technology companies and regulated businesses that cared deeply about security.
In each case it was very clear that this was an extremely important position for them.Yet, in each case the CEO was always one of the last folks I spoke with. In each of the conversations with the CEOs, I asked them a simple question:
“What are you looking for in your new CISO that you don’t have today?”
Amazingly… and surprisingly… all responded with almost the same exact answer:
“I want my next CISO to be more like a General Manager.”
The CISO as GM
I was not expecting that answer, so I probed a bit more.
“What do you mean by that?”, I asked.
Their responses, usually sounded something like this:
“First and foremost, we’re a company built on a very specific mission, with a culture and values that are inherent and don’t really change. Our security leader needs to recognize that and work within that construct. They don’t get to create their own rules.
“Second, they need to understand how they’re contributing to and supporting the business. I don’t think our last CISO had a clue how the work they did helped the business overall. OK, so we got SOC 2 and PCI certified. But when they added [new technology or process], did they make tradeoff decisions aware of how that slowed us down? Security is the tail on the dog, not the head. The CISO needs to be proactively responding and aware of business decisions, not constantly reacting to fire drills.
“Third, the last CISO was a terrible communicator. Whether it was to other executives, me or our board, they communicated in technical details, not business terms. We tried to simplify it by asking, “how do we compare to other companies like us?” They just kept talking about details of audit results, training completion or vulnerabilities.
“General Managers don’t do this. A GM is responsible for clearly identifying, building strategy, and articulating the projects in support of the business. A GM oversees a budget, employs marketing strategies to gain adoption, finds operational efficiencies, continuous improvements and more. Our CISO didn’t think these things were big parts of their job.
“Finally, security feels like a Sisyphean exercise. We’ve been pushing this rock up the hill, but every time the CISO says we’ve made gains, either something bad happens, I’m asked for more budget, or both. If one of our GMs did this, I would have fired them on the spot. You can’t be a GM and act like this.”
Broadening Our Skills
None of the specific comments from these CEOs really surprised me that much. But two things did stand out:
- Most CISOs haven’t gotten to the point where they’re a trusted member of the executive staff.
- We’re not seeking opportunities to better understand. It’s on us to get feedback from our peers and superiors.
The surprising thing to me was that CEOs want their CISO to act more like a General Manager. It so succinctly and directly encapsulates where information security as an industry needs to improve.
We all need to take a step back and actively seek feedback on:
- Are we fitting into the company’s culture and vision that was established before we got there?
- How are we perceived as supporting the business?
- How are we perceived as adding friction to it? Are we the Office of “No”, or the Office of “Yes, but…”?
- Is the friction we may be adding rooted in data and risk, or is it just a HiPPO’s opinion?
- What is it that our audiences need to hear about our security program?
- How do we convey that in a way that isn’t security-speak? Each level of the organization requires a different level of communication. We need to adjust this for them, not the other way around.
- How can we convey where our program is at today and where we’re taking it in the future?
- How can we convey a level of conviction and high integrity commitments?
- How can we seek to gain efficiencies in operations and budget?
These are all skills I wish I had when I first became a security exec. These qualitative skills were the hardest and took the longest to hone, but in the long run have been the most valuable in growing my own career.
Best of luck! Feel free to hit me up if you have any questions on how to act more like a GM.