Moving From Consultant to CISO
As a consultant you gain a lot of work experience very quickly, because you are working with a lot of clients on many issues. Seeing the transition from consultant to CISO is fairly common. As a consultant you don’t get to see the changes you’ve made grow over time, you only see the short-term effects and move on. If the decision is made to leave consulting and sign on full-time with one company as CISO, you see how everything you do evolves overtime, and are able to put all of your focus into one place.
Advice To Younger Consultants And Future CISOs
In every professional career there is a desire to succeed, sometimes we make ourselves crazy trying to get there. Knowing when to ask the right questions to clients is so important, they might not even know what they need and by steering the conversation with questions we can all get the desired outcome we are looking for. Having a clear perspective on what they actually are looking for can help you to deliver an appropriate result, while keeping you work load balanced.
Security Reporting Structures
Every company and organization is different; there is no golden rule of reporting when it comes to security. By understanding the dynamics of the organization you can get a clearer picture as to reporting. As a CISO reporting too low of the chain of command can cause problems, as well as reporting too high with someone who doesn’t understand the risks you are reporting. Get to know the dynamics and see how every part works together to better help you report.
Evaluating A Problem At A New Workplace
Coming into a new place of work you have to learn how the organization functions quickly. Watch closely to understand how the different departments work internally and with each other. When a problem arises and you have this knowledge you will be able to effectively report to right place, at the right time. Doing the right thing for the organization as a whole is always better than doing what is best for one single department.
Frequency Of Reporting
Normal information that doesn’t include a severe incident is typically looked over monthly, and again quarterly. For standard incidents doing monthly reports about what goals were achieved, what is projected to happen, and how it is going to be handled is common and those monthly reports will be revisited in quarterly reports. If there is a severe problem or incident that needs to be handled in real time, don’t risk a small issue becoming a huge one by not reporting.
Identifying Warning Signs And Red Flags
The security of information effects everyone in the organization, if you are speaking with a leader of an organization and you realize that there is no involvement of other departments in security that should be viewed as a red flag. All departments can weigh in on security, it’s important to have multiple perspectives on an issue. Security also needs to have a separate budget, it should never be a line item on the IT budget, and you don’t want to work for a place that invest in the security of the organization. Being able to speak with CEOs about the needs of the security team is very important, if they are unwilling to learn and listen about your expertise, that is a major red flag.
Lenny Defines Being The New CISO
It has always been about lifelong learning, being able to grow and develop. It’s good to constantly grow and evolve, challenge yourself professionally.
Resources:
Exabeam Website
Steve Moore Linkedin
Lenny Levy Linkedin