Cyber Security
3.
4.
5.
6.
7. 8.
Developing a strong internal network of allies. Identifying the astute individuals across the organization that can support them and reciprocate favours when called upon. Coaching and mentoring their direct line of reports to delegate activities and act as trusted advisors in their absence and identify a clear deputy. Continually adapting, gathering information, learning and developing new skills to improve their knowledge of the business, the industry they operate in and the information security domain. Building trust and respect by engaging with impact, delivering reliably, sharing successes with the business and acknowledging the team members and colleagues that have supported delivery. Sharing experiences and knowledge with peers and industry thought leaders. Developing resilience is critical. It takes thick skin and resolve to be a CISO."
This article from the IndianTimes.com offers tips on what CISOs need to focus on to stay longer term. No doubt, all security leaders want to be successful and improve cyber defences, no matter how long they stay and too many quick job changes can become a serious problem for resumes and personal reputations. I have written many articles that are relevant for CISOs and other leaders in cyber careers and here are a few to consider on this topic: • CSO Magazine: The case for taking a government cyber job: 7 recommendations to consider • Govtech.com: Security Pros Need a Mentor: Here's Why and How • BankInfoSecurity.com: The Value of CISO Mentoring • Govtech.com: Evaluating Technology and Security Leaders In the last piece about evaluating technology and security leaders, pay attention to the questions that John Maxwell has about leadership impact. Also, notice the planning perspective from these state CISOs (from earlier this year) from Nebraska and North Carolina. For balance, I encourage you to read this article on 11 reasons to stay in your current job (even if you hate it.) Here’s how it starts: “'I hate my current job and I will leave this place!' How many times have you heard someone say that line? To some people, it’s too often. It’s unfortunate how rare it is for someone to come across another individual who loves what he/she is doing in his or her place of work. It’s more likely for you to encounter someone ranting non-stop about how 'unfair' his or her employer is and how much 'he or she wants to leave'. In fact, this person might even be YOU …”
Closing Thoughts I know. I know. I have done little in this article to prove to you that CISOs leaving early can cause more security data breaches or other security incidents. My gut tells me that
24 | Australian Cyber Security Magazine
security effectiveness is (at least partially) related to CISO longevity — so send any research my way if you have meaningful data (either way). NO DOUBT, some CISOs must go — and the sooner the better for an organisation. (If this is the case, I question an organisation's hiring practices, but that is a discussion for another day.) Nevertheless, this topic must start getting more attention for the cybersecurity industry to improve. The bad actors are laughing all the way to the bank at all of the cyber leadership turnover in so many organisations. Some CISOs also take their teams (or best security talent) with them when they leave. I really like this excerpt from a CSO Magazine article on CISO longevity: "Take Andy Ellis. As Akamai's chief security officer for the past eight years, Ellis has played a central role in implementing a zero-trust data access model that has fundamentally transformed the company's security posture. Over a total of 16 years in various security roles at Akamai he has helped define and evolve the organisation's core security strategy. Ellis believes that being at the same company for so long has been critical to his ability to affect change. 'I've gotten to mould this position,' Ellis says. 'As I've gone along, it's been like wearing a comfortable glove. I understand how the organisation works; therefore, I can get more done.'" Andy Ellis’ experience has also been my experience while at the state of Michigan for over 17 years as an agency CIO, enterprise CISO, CTO and CSO. You can read about that CISO/CTO/CSO journey here, but happiness, career satisfaction and impact are not just measured by money. I have also seen this same trend in numerous other state governments and private-sector entities. Getting more personal: The key question you will ask yourself, when you look back at your time as a security leader is: “What lasting difference did your team make regarding cybersecurity under your watch?” Bottom line: Leading any organisation for two years or less is generally not enough time to build a positive legacy and improve the cyber culture. Strive to build strategic (and tactical) plans that are (at least) double that (four years or more) as a CISO. Next, stay and deliver effective cyber results. About the author Dan Lohrmann is an internationally recognised cybersecurity leader, technologist, speaker, blogger and author and was named as one of the World's Top IT Security Influencers in 2019. Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.