Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish

The CISO As The Model Of Leading Without Authority | #education | #technology | #training | #hacking | #aihp

With the heightened technology security threats today I started to convene CISOs to better understand their role and what I was surprised to learn was how much they could teach us all about leading in the new world of work. The Chief Information Security Officer (CISO), perhaps more than any other role, has always had to learn how to become the ultimate partner in an organization to lead without authority and to develop the skills of partnership and “co-elevation” both within and outside the c-suite.

Together with our research partner, Crowdstrike, we recently gathered prominent CISOs for three roundtable discussions about the present and future of the role. They provided a number of insights about how they have been able to exert influence and leverage the foundational importance of information security in order to become business leaders in their own right rather than just custodians of critical technology tools. Any manager (or aspiring business executive) can absorb and build on these lessons. As an organization that coaches executive teams, Ferrazzi Greenlight will also build on these lessons to help our clients become better leaders.

Insight #1Since leadership is influence: build influence by showing (rather than telling) and investing in long-term relationships.

The CISO normally doesn’t control the platforms and the processes that they have to make secure. As one veteran CISO told me: “I have always believed that leadership is influence when you really boil it down, whether it’s with your peers, with your leadership, or even with your team.“

One way to do this is to build relationships with business leaders over a period of time. One CISO told me that he works with other executives and with Board members to help them with their own information security whether for work or even on personal devices. This kind of white-glove service helps non-technical executives to understand and to model best practices and also gives the CISO the chance to build the relationship with key stakeholders.

Another way to build relationships is to show business leaders how to get things done, “rather than telling them what they can’t do,” according to Brian Waeltz, CISO of Cardinal Health. Waeltz gives an example: a customer was exerting pressure on the company to sign-up for a HITRUST certification. Brian worked with his business colleagues to help them understand the investments in new tools and processes required and proposed a path to achieve this state of readiness. He says that the colleagues appreciated that the CISO had taken a step backward to view the problem from an enterprise perspective. As a trusted advisor, he was then able to get the company to make some of the investments needed and having the certification became a key differentiator for the business as they went out into the marketplace.

Insight #2CISOs should think of themselves as a “chief educator”

Katie Jenkins, CISO of insurer Liberty Mutual, says that even after four years in her role, she still thinks of herself as the “chief educator” who demystifies information security, moving it away from a “dark, scary place” that no one wants to discuss. This point resonated with the CISOs at the roundtable in different ways.

One CISO said he takes technical topics such as the NIST Risk Management Framework and applies it to an executive’s business process in very small bites to make it easy to digest. This “easy-to-consume” approach reflects his own early career as a software developer meant where he had to learn soft skills like influencing peers in small bites on the job as an executive.

Part of the educational function is exerted through the CISO’s “ambassadors” to business units – known in some companies as BISOs and elsewhere, informally, as “security ninjas.” Cardinal Health’s Waeltz talks about cybersecurity questions that business groups raise in their staff meetings. Being able to “break that down in layman’s terms” and to explain the CISO team’s investments and strategies has been extremely beneficial.

Jerry Dixon, CISO of cybersecurity technology company Crowdstrike, does a lot of his educational work in one-on-one meetings with board members and senior executive staff. He also meets with the company’s engineering teams, involving them in threat modeling by understanding their security concerns and getting their feedback on what might be missing from the threat models.

CISOs agree that high-profile threats like the global cybersecurity alert caused by the Russian invasion of Ukraine have provided an opportunity to move longer-term priorities forward. Shuk Khader, CISO at Foot Locker Inc, observes, “The elevation of attention on the cybersecurity space is definitely dialed up to the max and has been sustained for probably the longest that I can ever remember.” He recalls that in previous cybersecurity roles in financial services and cosmetics/personal care companies, “you had to earn your time with the board and or executive committee to share your thoughts and sort of articulate the security risks.” He meets with the Audit Committee/Board on a regular cadence and also fields numerous inquiries. In effect, the CISOs are building currency when their companies (and CEOs) are feeling vulnerable which enables them to be more effective educators about cybersecurity and to influence real decisions and business outcomes.

Insight #3Make Collaborating on CISO Issues Fun, Engaging and Beneficial

Information security requires educating team members in different parts of the company. To be most effective, it also requires not only their awareness but also their active collaboration. Some CISOs tap into specialized expertise in order to make “red teaming” activities more fun: for instance, involving finance teams to help create training to defend against phishing attacks. When the finance teams help to design the bogus bank wires or business emails for one training effort around phishing rather than the usual IT team, the “fail rate” — or success of the training — was much higher because they were able to create much more convincing content, one CISO told me.

Gamification of security training is another thing several CISOs mentioned as a method for making things fun and engaging. Liberty Mutual puts on annual video production, this year a Family Feud-style game show with paid actors, which includes cameos by executives. It then becomes an actual game for employees, around an important, but mundane topic, like password selection. The employees compete for points and prizes. “It just creates a little brand and buzz and is a nice complement to the slap on the wrist when people fail their phishing exercises. You have to lift things up a little bit with fun,” says Jenkins.

Some of these fun activities can attract other employees to want to come work in the CISO organization. One CISO told me that when you explain the various behavioral aspects that an attacker is trying to exploit in human psychology you’re describing something fascinating. Consequently, he has been approached by current employees in important positions about possible job openings in the CISO organization.

Insight #4Take ownership of a business problem that builds on and extends a CISO competency

CISOs see the evolution and growth in the role as increasingly aligned with driving growth in their respective businesses. Rich Agostino, CISO at retailer Target, has seen that enablement focus happening in two phases: first by providing tools and education to help the tech team deliver what the business needs quickly and securely; then by working directly across the enterprise with business groups to support evolving operations like digital customer returns and to defend against bots. One function mentioned by several roundtable CISOs as an area for business enablement is authentication/authorization. This is an industry term for the countless times when software asks a user to prove that they have the right to access something, for example, a website and then provides that user with the privileges to do things, for example, to access and modify credit card information.

One CISO told me that he took ownership of this front door to the company’s business because of its security aspect. “Then we know that customer for their lives, and we know that any time they come back into our environment, regardless of what particular portal, what line of business, what service, we know who they are. So that puts us into a very positive position to be able to help our actual customer service areas to know, to validate and to be able to reach out to that customer,” he says.

He notes that earlier in his career when he worked in banking, the CIO would have tapped the CISO organization’s technical expertise, but never would have allowed security to own the entire authentication function. He attributes the change to “the trust that we built up across the company,” and being able to perform highly effectively.

Other CISOs at the roundtable also pointed to authentication as an area their groups have taken responsibility for. Khader cited provision of seamless customer experience as a motivating factor at Foot Locker. And Cardinal Health’s Waeltz noted the adjacency between authentication and privacy: his team is collaborating with Data Engineering and with the company’s Privacy team on a large data protection program that is nearing launch.

Insight #5The old things never go away…

“The interesting thing about our job as it changes,” says Agostino, “is that the current things never go away. It’s always additive.” The foundational aspects of information security are called that for a reason: no business can survive without them. As Foot Locker’s Khader says, “And while threats will always exist, we can build on a strong foundation to take steps to be prepared.”

As I convey to my coaching clients from a variety of different executive areas, everyone expects you to do your job, but to prove that you are more than just your current role, you have to ask to take on responsibilities that show that you are driving broader business enablement. Like other insights from the CISO world, this one applies to any business manager at any level who wants to become more effective and grow their career.

Click Here For The Original Source.


National Cyber Security