What it takes to be a successful CISO
- 26 October, 2015 13:21
Recently, a terrific story on CSO Magazine online was published by Tayler Armerding that highlighted how CISOs are seen in such a poor light given a recent ThreatTrack report that surveyed 203 C-Suite executives. In general, the viewpoints of CISOs were very disappointing. As CISOs, we have been seeing a lot of “unplanned” movement in the industry as well.
As part of the Surviving The C-Suite Blog on CSO Magazine, I wanted to share the experiences of other executives to raise and elevate the profile of the CISO in the C-Suite. The goal is to make the CISO successful and thrive in an organization, not viewed as the “anti-business” department that does not know how to fit with the rest of the organization.
We have seen many CISOs come and go over the years; however, a critical point a CISO needs to achieve is the three-year mark within their own company. It demonstrates that not only can a CISO lead a cybersecurity program and manage risk for an enterprise, but also can work across the enterprise with other C-Suite executives. This is very important because in most cases it demonstrates they can politically survive and even thrive as a CISO. It’s no secret a CISO position can be a very contentious position, but a successful CISO can determine his own future with a company and not have it defined by another executive.
I like to think my execs believe that I will knock walls down if they give me the opportunity to do so.
I spoke with the distinguished Kim Jones, Global SVP & CSO of Vantiv based in Cincinnati, Ohio. Kim relocated from Scottsdale, Ariz., over three years ago to lead the No.3 credit card processor in the USA. When I reached out to Kim, I wanted to see how he has been successful at Vantiv and how he functions with other executives. In addition, I also asked what is it like to deal with target on your back at times, and how to balance business needs against securing a major corporation.
You have been with Vantiv as an SVP & CSO for one of the top three credit card processors in the USA. For the past three years, what are some of the attributes that have made you successful in your position?
For me the key component to successful security leadership is to remember you are a business leader first and foremost. My job is always to enable the business and look for ways to help the business succeed. This is more than just a slogan or a catch phrase; it is a philosophy and approach to how I do the job and how I expect my team to do the job. "No" may have to be the first answer, but "how" must always be the last.
When you reflect back on your own career as a CSO, what was your biggest mistake, what did you learn from the mistake, and how did you recover from the mistake?
I have been told that I think in a non-linear fashion; this helped me tremendously as an intelligence analyst in the service. The problem is, though, that I tended to (accurately) leap to the conclusion about an issue without laying out the steps, thinking that everyone could see the same thing I did. This really hampered my ability to communicate to non-security/non-IT folks early in my career. I spent a long time (with the help of good mentors) learning how to communicate and lay out the step so that others could reach the conclusions I was leaping to.
What should CISOs be doing in order to work well with the business units within the enterprise?
Get out of your office and go talk to your business partners -- and their bosses. I still make a habit of walking the floors of my headquarters building twice a day...and that includes a swing through the executive wing. I duck into offices and cubes regularly just to see what is going on and what I can help with. I get more information and conduct more business during my 'walkabout' than any other time.
What tips would you offer a first-time CISO coming out of the gate into a new CISO position?
Whenever I take a new gig, my first investment is a $500 Starbucks card. I then spend the better part of the next month taking key leaders and influences to coffee. Many people do not have time for a meal, but everyone has time for a cup of coffee. anyway, I ask these folks the same three questions every time: (1) tell me how you make money; (2) what keeps you up at night; and (3) if there is one thing I could do in my area to make things easier for them, what would it be. You do this for a bit and not only will you get a good understanding of how the organization works but you will quickly identify some low-hanging fruit re: what makes sense for you to tackle first as a CSO. It is a simple technique, but it works for me.
Being a CISO can be a contentious position and sometimes you have to deliver a tough message. How to you handle yourself to prevent a tough message from turning into a bigger issue?
The best way to do this is to establish a level of trust within the organization first and foremost. if the executives believe that you're not just being chicken little and that you know the difference between rain and the sky falling, they are more inclined to listen when you *do* bring tough things to them. In addition, it is always important to bring potential solutions to the table as opposed to just problems. In the end though, sometimes things are just going to sting. The execs are not going to be happy, and someone is going to be looking to blame you as the messenger of bad news. That is the gig, and all you can do sometimes is accept that as part of the gig. As a former GI, I was once in a position to be yelled at by an US ambassador as well as a four-star general; not fun, but I (and my career) survived. If I can survive that, I can survive occasional enmity from the C-Suite. Just remember: it is never personal -- for you or for them.
What makes you an effective CISO when presenting to your Board of Directors?
Best advice I heard re: board presentations was from a former CEO who sits on the boards of tech companies: "I want to know enough about security so that I can know that we're OK so I can move on to the next sales and marketing problem." Of course, figuring out “how” to do that is the trick...but remembering this outlook is helpful as I prepare for the board.
Being in the C-Suite with people more powerful than you can be really tough. How do you manage to co-exist without getting caught in the fray of issues and battles that go on in the C-Suite?A good security professional is always Switzerland. I am a skill player when it comes down to it, which means my focus is to provide subject matter expertise around a subset of risk topics. I have no aspirations for my boss' job, or to be CEO; this makes it easy for me to stay out of any political infighting that might go on in a company.
What makes you credible with your executive leadership team and be seen as a trusted adviser?
I try not to be hyperbolic (though some of my execs in the past might argue that point) and look for ways to solve problems versus create them. I like to think my execs believe that I will knock walls down if they give me the opportunity to do so.
How have you dealt with other executives in the C-Suite that want to put a “bull’s-eye” on your back. What did you do to reduce the conflict and situation?
The bulls-eye can only exist if you (a) are perceived as non-factual or (b) perceived as not enabling. Not everyone is going to like you; that is not the job. If you are factual and bring solutions versus just problems, you will make a difficult target.
This article is published as part of the IDG Contributor Network.