Recovering from a 'Bad CISO'
Episode 237th May 2020 • The New CISO • Steve Moore
00:00:00 00:49:11

Share Episode

Shownotes

Advice To A Younger Self

A core truth to being successful is always delivering more than the organization expects. Going above and beyond to find out what is most important to your customers is key. Make the customers reality your reality and work from that viewpoint.  Figure out their definition of value and find your place in that value, then fuse those two points together. 

 

The Previous CISO Failed To Deliver

A lot of times a bad CISO isn’t something that happens in a purposeful manner. The organization is growing and evolving and the position needs to be filled. This is common when someone is very good technically and continues to get promotions until they find themselves in a position the do not know how to fill.  It takes more than technical skills to be a successful CISO, it takes leadership skills, strategy, and good communication skills. Those communication skills are key to building trust across multiple departments before a crisis arises. So what if you aren’t aware that the previous CISO wasn’t competent, there are some questions you can ask in the interview process to get answers. For example you could ask questions such as; where does security sit in the organization, what are the communication channels the security team uses, and who does the security talk to within the organization? If you feel like you aren’t getting the answers to these inquiries or you feel you’re being lied to, there is a good chance you’re potentially being hired to clean up a major mess. 

Cleaning Up The Pieces

Sometimes going back to square one is only approach if the organization was left in absolute shambles. Meet with the CEO as soon as possible to get the entire picture of what all needs to be done. Sometimes one bad manager or one bad director can ruin the entire team and sometimes the entire organization, being able to get in there and identify that quickly and get rid of the dead weight is key to rebuilding the organization. Meet with people to see who is doing what, meet with the executives, then your peers, and then your employees. Build that base knowledge of the company culture and who is there and why they are there. Once you’ve gained this knowledge, use it to show your value to the organization. Show them tangible results that you’ve come in, cleaned house, rebuilt the security structure, and what that is doing for the organization. This builds credibility, which builds trust, gains funding, and gets support. 

 

Marketing The Success

So now that you’ve been hired on to clean up a giant mess, and you are starting to see the rebuilding of the security team come together, it’s now time to show some of those successes. Perhaps there were changes that were made that went unnoticed until they were being completely relied on, for example if you set in place the infrastructure to be able to work completely remotely and now that is being utilized, share that with the executives. Create a program to test the holes and weaknesses in the security system and then share the results and also share how you’ve fixed the bugs in the system you found. These tests and programs will not only show your value as CISO to executives, but it will showcase how important each member of your team is and how they contributed to evolving success of the security team. This will build team morale, which directly correlates into better company culture. The board cares about acquisition and retention, so you need to known how to market your program to them to emphasize those key points. Sit down with the executives and find out what their biggest issues are with security, figure out how you can make their lives easier. Building the team around the companies needs is key to prolonged success. Beyond the executives, meet the sales team and find out their needs with the security team. The sales teams are out on the ground speaking with customers all day, so if you can give them some answers to security FAQs before they have to ask, that builds yet another bridge into the wider part of the organization. 

 

What Being A New CISO Means

Never stop learning, be hungry to learn and improve. Always be the best version of yourself you can be. 

Resources:

New CISO Podcast: Linkedin

Steve Moore: Linkedin

Exabeam: Website

OpenText: Website

Ed Kiledjian: Linkedin

Follow

Links

Chapters