There are A LOT of articles about what makes a good CISO. Let’s flip the script and talk about the type of company that could attract a good CISO. I live in Nashville, TN. I love football and root for the NFL Titans. Frankly, it’s been a hard road as a Titans fan. We’ve been bad for years. Why? Because the team had no real foundational leadership at the top. They couldn’t communicate who they were and what they wanted the team to be, thus, they drafted players and acquired free agents with no unifying goal, purpose or traits that said, “This is who we are and this is how we build.” The results showed on the field until an owner solidified her power and hired a GM in Jon Robinson with a good plan and the power to implement. I guarantee you things are changing for the Titans. Below are four company traits critical to the success of a new CISO.
- CONSENSUS ON THE GOAL. One of the first things I do in meeting a team is to place a simple graph on the table. One side says “Lax” and the other says “Hyper Vigilant”. I say, “Based upon the data you need to protect and your stomach for risk, place a mark on this graph that represents where you want your company to be in Security.” I’m hoping everybody puts a point on that graph that’s pretty close. If it’s consistent, we’ve got a starting point. If there’s no consensus, I know that a new Security leader has a ton of consensus-building to do before the real work starts.
- CONSENSUS ON THE NEED. I heard a quote a few years ago that I use every week. It goes, “It’s not what you don’t know that kills you. It’s what you know for sure that just ain’t so.” I’m always interested to hear a company talk about what they want in a CISO. Companies either aren’t sure what they need, have experience and know exactly what they need, or know exactly what they want and might be wrong. Options one and two are fine, but option three is usually bad news for all involved.
- CONSENSUS ON THE SPEND. If the company presents a unified philosophy on where they need to be on a Security spectrum and knows what they need in a leader, it’s critical to assess if the company will execute. I want a Ferrari. I don’t have one because I’m not about to try and afford it. One of the worst things I see happen to CISOs, and I see it plenty, is when the pitch is big, he/she is sold, gets to the new gig and the money disappears. There’s always give and take, but companies must match the goal with the cash.
- CONSENSUS ON THE REWARD. Lastly, a company needs to give that CISO an opportunity to prove him/herself. I don’t believe a company should hand over 100% trust automatically. The CISO job is a consensus-building gig and a person who can’t do that will never be a great CISO. But, if a CSIO proves themselves to be a game-changer – a legitimate influencer – that person should be rewarded with a true spot at the table.