I learned a great lesson when I was a teenager in the mid-1980’s growing up in Little Rock, AR. Billy Graham announced that he would do a crusade at our outdoor college football stadium. Back then, if Billy Graham showed up to speak in your town, it was planned meticulously for six-to-eight months in advance, hundreds of thousands of people showed up and it was prime time, front page news every day and night for the week he was there. I wanted to see and hear one of the most influential men in the world. I figured that he would be a booming, charismatic figure and that I would hear wisdom that I hadn’t encountered before. I packed in with 45,000 other people on a sweltering summer night common in the deep south. I was terribly disappointed as I watched a small, somewhat frail man stand behind the mic and deliver, in a soft spoken voice, one of the most basic speeches I’ve ever heard. It was calm, kind, and elementary. After 25 minutes he sat down and I watched as at least 10,000 people got out of their seats and streamed onto the field in response to what he said. The power of simple, humble connection is an amazing thing to behold.
I’m not going to get into the technical vs. non-technical, education, and backgrounds of what I think makes a good CISO. I’ve seen some of the best pedigrees get fired and some of the most bootstrapped people succeed wildly. Below are a couple of traits that I like to look for in a CISO. Oftentimes, like my Billy Graham story, leaders separate themselves with simple philosophies, done humbly with a service-based mindset. When I see a majority of the below examples, I get really excited because I’ve usually found a winner.
I love a CISO that:
- Brings Solutions, Not Problems. A CISO is a helper, and establishes his/her leadership by serving, especially early in the tenure. It’s easy to say “no”, but working toward the “how about this option” goes a long way.
- Brings Humility. Any CISO that catches this title and thinks he’s arrived is in deep trouble right out of the gate. A CISO gets to earn his/her influence. CISOs should walk the building more than any other executive. From the youngsters to C-level peers, he/she needs to be asking the questions, “How do you make money?” and, “How can I help right now?” over and over and over. If a CISO wants to be a true influencer, he’s got to know the business, and in turn, that business has to collectively know that he’s been willing to learn.
- Loves Data and Metrics. If you’re a CISO, you know how hard Security is. It’s way beyond just the technical. If it’s hard for you, it’s really hard for people in the company that don’t understand what you do. A good CISO is digging in on both simple hard questions and backing it up with data. As a CISO, you get an opinion….as long as you’ve backed it up with data. : )
- Loves Their People. A CISO’s team should award him/her Mom Of The Year, every year. A Security team must be encouraged, protected, nurtured and expected to perform beyond their capabilities. Turnover in a Security department can be brutal. Rest assured, there is a long line of people waiting to pick off Security team members that are unchallenged or underpaid.
- Brings a 50/50 Mentality. A good CISO time must be spent close to 50/50 between tech and the rest of the overall security apparatus, be it Risk, Privacy, Compliance, Legal, Education, etc. Good CISOs know that Security is an enterprise-wide endeavor.
This list could easily be expanded, but these are the traits that I see in so many successful CISOs. Execution is always built on a philosophy and I love it when I see the above examples in a CISO.