Interview With an Expert: How Does a CISO Learn to Be a CISO?
The role of the chief information security officer (CISO) is quickly becoming more important as cybersecurity in general becomes more intertwined with companies' business activities. This fact in itself is indicative of the versatile nature of this position.
To learn more about what qualities a successful CISO should have, it's best to talk to one. Mr. John Hellickson, managing director, Strategy & Governance at Kudelski Security and former CISO at First Data Corporation, agreed to give InfoSec Institute readers backstage access to areas reserved for experienced security experts that exercise this profession.
What should you learn next?
1. What are the areas in which a CISO should be particularly experienced in order to be successful?
Mr. Hellickson: There are many unique factors in the CISO's path to success, and they can be quite different across companies and industries. The role used to be seen as the company's information security technology expert, often buried in the IT organization.
Today, at most organizations, the position prominently involves risk management. The CISO needs to fully understand their industry, establish a security vision for the company, and align their security program to the business' goals and objectives. Moreover, communication skills are key, with the ability to speak the business language, while maintaining the capability to get in the technical weeds with the IT, Application and Development teams across the company.
At the same time, they need to demonstrate strong leadership skills and be able to influence others to manage risk, particularly when they don't report up through their own chain of command. Since Security pretty much touches every part of the organization, the CISO becomes an asset when they manage to create a bridge between the technical approach and how they convey the positive impacts their investments and controls have on the organization.
Ultimately, the CISO must be seen as a business enabler, helping the business understand and manage risk, which often helps the company make informed calculated risks to achieve business objectives that they might not have otherwise.
2. What are the lessons you learned on the job? What you wish you'd been told before and after the first day?
Mr. Hellickson: Since I have been in the information security field for more than 20 years, I had 'ideas' on what I would do when I became a CISO, but on day one, I wish I was told to relax. I knew the role had enormous responsibility for the organization I was with, and having the fortunate, or more like the unfortunate, benefit of knowing where most of the security gaps existed over the 15 years of working there, I created unnecessary stress for myself and many of my direct reports. I realized the job goes beyond the purely technology tasks of being versed in the best ways to address issues and threats.
As you start working as a CISO, you will find out that your role is more of a business facilitator. You need to know about regulations, how to be compliant and be able to draft a path for security protocols, while also developing a relation with the IT leadership who will put into practice the stipulated tactics. You need to make sure risks are being identified, assessed equally, and understood by the business leaders who truly own that risk while being associated to the mission of the business and industry. You will become the puppeteer behind the curtain, moving the right elements and people's attention to the most important risks and threats that the company is currently facing. The modern-day CISO needs to be prepared and exude the executive presence that many of their C-Suite peers already have, while maintaining and achieving the cybersecurity goals that effectively manage risk.
3. What were the biggest challenges that you had to deal with, and what skills and experience do you wish you had from the start?
Mr. Hellickson: One of the top challenges when starting as a CISO is the ability to demonstrate to the Board of Directors that you are the right person for the role. As CISOs, we need to be able to effectively manage cybersecurity risk across the enterprise and understand the strategic business value working with different people in the hierarchy of the company. This means being recognized as a key part of the company's success. From the start, CISOs have to create awareness about cybersecurity in terms of business goals, instill confidence in the security program and its framework, while maintaining regulatory compliance, delivering upon stated roadmaps, maintaining regular discussions with Board members to keep them abreast of threats and risks and the impact to the organization.
On top of that, technical savviness plays an important role to ensure the right controls are implemented. It goes without saying, but we need to keep up with disruptive technologies such as IoT, AI, and Automation & Orchestration, to name a few, while not falling into the trap of buying and partially deploying more and more next-gen sets of technologies. People in this position will have to face other obstacles, such as recognizing the new skillsets required to successfully make the transition to embrace and support Cloud adoption, while the industry faces shortages of skilled cybersecurity practitioners. And there's always the continuing challenge of convincing the executive management that the organization needs to spend even more on security technologies when we've been investing heavily in this area for past few years.
4. What are the key attributes of a successful CISO? Do CISOs need mentoring?
Mr. Hellickson: A successful CISO engages with the business. As I mentioned before, a CISO's role today is primarily Risk Management. They are more of an advisor and strategist, while also being a technologist behind the scenes. Establishing a Security Risk Steering Committee, with other C-Suite members, is one of several effective ways to engage with business leaders. The old practice of instilling fear, uncertainty and doubt to drive support for additional budget and large projects is long gone.
The CISO should be perceived as a business partner, a team player, adaptable to the business changes and threats, and have a continuous improvement mindset across people, process and sometimes technology needs. Additionally, the CISO should be focused on self-improvement, where a coach and/or mentor are essential to becoming a very effective senior leader. As a fellow colleague often says, athletes of the highest levels always have a coach, often many coaches, from experts in their sport to nutritionists that keep them as healthy as possible. Why shouldn't CISOs? The CISO has one of the most challenging roles within any organization. They should have both a senior business leader and an industry peer as mentors, and if the organization supports it, an executive coach to improve their leadership and organizational influence skillset.
5. Communicating with the board is often a challenge for CISOs. How can they improve security communication?
Mr. Hellickson: Understand their audience. Often, their Board members are on other Boards or currently serve or have held different Executive Leadership roles at other companies. This means that the programs a CISO implements will be compared to those in other organizations. Researching Board members' backgrounds could provide useful insights on how to engage with them, from their knowledge of cybersecurity and the industries they have experience in, to the peers in the industry you should be reaching out to whom the board member may already be discussing cybersecurity with.
Additionally, when a CISO has their 10-30 minutes with the Board, they should avoid telling the board that their controls are effective. They should, instead, demonstrate this by showing how everyday activities are linked to real-world threats. For example, the CISO could explain how an improved phishing testing and security awareness program reduced the number of employees falling prey to a real-world phishing attack while the email security gateways identified and stopped many of the phishing emails from going to everyone in the organization. As a result, they attest to a minimally-impacting incident thanks to the people, process and technology controls, nearly eliminating the loss of productivity for the impacted users and reducing the time IT would have spent tracking down the malware and rebuilding systems from the ground up. Examples like this one help different members in the organization put into context the results they are getting.
In short, the CISO should embrace a strategic vision, enable business products and services, build executive presence and have the ability to get things done across the organization through influencing skills.
Source: Kudelski Security
Conclusion
According to a Bitdefender's survey issued in March 2018, 72% of CISOs admit their IT team experiences both agent and alert fatigue. To address this issue, most organizations plan to expand their IT security teams, even though the global cyberskills deficit is negatively affecting their efforts. Moreover, 69% of CISOs consider their team as under-resourced, which, in turn, puts a heavy burden on difficult security tasks (one of which is monitoring activities, according to the CISOs in the U.S.).
While there is no quick solution to these problems, we could draw some meaningful conclusions from what Mr. Hellickson mentioned. First, a CISO should be a person that possesses strong communication and leadership skills; a person that can unite different entities within an organization under the banner of "security is everyone's responsibility." Second, in order to do that, the CISO should be familiar with the risks the company faces. Last but definitely not least, he/she should also be familiar with the organization as a whole so that he/she could implement an effective security strategy that is in line with the organization's business goals.
FREE role-guided training plans
You could say "It's easier said than done," but it is certainly not an impossible mission with respect to companies where a CISO knows what to do and knows from whom to learn the things he/she does not know.
In this Series
- Interview With an Expert: How Does a CISO Learn to Be a CISO?
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity