Being a CISO - The Right Place
Written by Keith Rayle
I was recently brought on board to lead the security effort for a company, and the choice was not easy from a personal perspective. I would have to leave warm, sunny Florida for Illinois, and do so in February no less. I love my home life and I worked hard to create a little slice of paradise down south. My wife and I are extremely happy together, and my little dog constantly reminds me to try to be that person she thinks I am. I traded palms and banana trees for ice, snow and heavily salted roads.
It all started with a message through a social media site from an old friend. We had not spoken in years, and it was great to hear from him. We had worked together in a consulting services company some years back, and we both had a great deal of respect for each other. He was now in an upper management position in Human Resources, and when they went to look for a CISO he reached out to me. I wasn’t looking for a job at the time, and in all honesty, I didn’t treat it seriously - initially.
I had a job that allowed me to constantly speak at conferences, and advise at all levels of security organizations regarding industry trends, tuning portfolios, and addressing issues within business environments. I was also writing industry certifications and teaching around the globe. My manager was a terrific individual and provided the latitude to do what I thought was important for the company and my career. His main concern was my happiness. Wherever I went, I was regularly asked how in the world I got a job like that... I could only smile and shrug my shoulders.
Why did I leave it?
Financially it was a good choice, but everyone knows if you chase money over happiness the money tends to lose value as misery increases. I’ve listed a few of the more important reasons for choosing to flip my life upside down and join this group. I hope they help to guide you as you seek the right job, at the right time in your career.
1. No Target
When I showed up and started interviewing, it became clear that the company was not looking for someone to blame in times of trouble. My approach, as I stated, would be to build a risk program while implementing processes and technical controls that resulted in a defense-in-depth security portfolio. I clearly stated I would/could not prevent intrusions nor would I expect to be a scapegoat if we got hacked. The reaction when I brought it up was almost one of incredulity - and extremely reassuring. They truly needed help, not a fall guy.
Look for a position that is responsible for building and managing an effective program - not a sacrifice during times of trouble.
The decision to hire a CISO and expand security spending was made by the executive leadership within the company. Every person I spoke with before and after completion of the hiring process was supportive of my presence. It feels like the executive team wants a CISO and not just a couple of them. As I explained my philosophy and strategy during the many introductory meetings, the buy-in was pretty apparent. I am sure not every executive in the company sees me as critical to success, but so far it seems that way. And at this point, I’ve talked to a majority of them.
If the majority of executive leadership does not see the CISO value, it probably does not exist. It might be time to move on.
Prior to my arrival, senior management knew the company needed to implement security education and training. The current workload of the security team did not allow for pushing the training into a full agenda. One individual in the executive leadership team decided to figure it out and implement monthly training. It was not in the individual’s professional expertise or knowledge base, but that did not matter. There was a distinct need for it so he took it on regardless of it being outside of job title. This speaks volumes about the character of the executive team and the perceived importance placed on applying protective measures regardless of who does it. It was absolutely a major factor in my decision to join this team.
Look for strong teaming and shared responsibility within the organization’s leadership.
4. Fix Problems, not Blame
One of the senior executives made sure I knew that egos and anger were not a part of the work environment. It was clear there would be frustration and rub points. Open, healthy dialogue and even conflicting ideas and thoughts are welcome and even solicited. It was also made clear that once a decision is made, the entire team aligns to accomplish regardless of personal opinion. We cannot escape conflict in our lives, and change is inevitable. Frustrations will certainly occur in any position you take, but you hope to reduce or minimize them. Hearing this perspective throughout discussions with the top leadership was a welcome sign of group-aligned responsibilities and a positive direction.
Look for alignment of focus and efforts – it will reduce workplace stresses.
Another strong aspect of the job was placement in the organization. In the ideal world, the IT team implements and manages security technologies according to the rules put forth by the security team. When security works for IT, there can exist a problem relating to the separation of duties. The security team creates requirements and performs audits against IT’s completion of those requirements. Similar issues of responsibility and authority can arise if the CISO is misplaced within other areas of the organization chart. This position was placed such that the CIO is a peer, allowing that crucial separation. Being in the right place helps the organization by allowing you to be more effective in building the security portfolio.
Look for the right placement of security within the organization. It doesn’t always happen, but it helps create a clearer presence and more effective results.
First off – I am extremely fortunate to have found this position. There are steep challenges ahead, but the support for a security function across the organization is truly impressive. It is considered a key factor for the success of the company and everyone in it. The individuals I have the privilege of working with are top caliber, exuding intelligence, impeccable character, and a team mentality. I am simply humbled to be here and incredibly thankful for this opportunity.
You can’t always get that perfect job. We often start out at lesser positions, and the CISO slot can, at times, be pretty far down the pecking order. Seasoned CISO veterans are aggressively sought by organizations around the globe, but you have start somewhere. You might not ever find that perfect job, but I hope you do.
What do you do if you are not in the desired position or set of circumstances?
You can’t hammer the above items into your potential or current job by simply asking the executive team if they are like this or do that. It isn’t how it works. Sometimes it is up to you to become the job environment you want. I often tell people happiness resides in a 5-inch line that runs from the left ear to the right. You determine it.
I believe the best change we can bring about is typically imparted due to how we act. In between of now and finding your perfect job, emulate your vision of it.
A final thought…
Happy people pick you up,
the bitter drag you down.
The chief concern affecting you
is which you hang around.
- Keith Rayle, 2019