Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated April 24)
Muddled Libra’s Evolution to the Cloud
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
7min. read

The Keys to CISO Role Success—Part Two: Elevating Your Stature

By Ed Harris

In the first part of this series I shared two key actions new CISOs can take to get up to speed quickly and make the most of a new leadership role. In this article, we’ll cover two ways you can elevate your stature as CISO—and your effectiveness—once you’ve gotten your feet on the ground during your first months on the job.  One of these two keys to success is a capability to develop. The other is a professional opportunity to cultivate that can be game changing for CISOs or any leader.

Two Keys to Elevating Your Stature as CISO

Key #1: Learn To Speak Multiple Languages

Almost all CISOs are fluent in the language of cybersecurity. But that’s not enough. You must be equally proficient in other languages of your organization. After all, you can’t be successful as a CISO if you can’t speak to other leaders and teams in words that they can clearly understand and relate to.

As a CISO, you obviously need to know the language of information security. But you also need to know the language of IT. You should be able to talk to developers and people who work in networking and the server team and the desktop team. So speaking IT should be your second language. 

The third language to become fluent in is the language of audit—a vocabulary that speaks directly to the risk posture of the organization. It’s not always about cyber risk. Sometimes it’s just related to risk in general. But the language of audit really aligns with how the organization does business and protects its most important assets. 

Finally, the most critical language to understand and speak well is simply the language of business. It allows you to be heard and respected when talking to your board and your senior executives. You need to be able to communicate things like revenue streams, risk management, what’s going on in all of your business units, and how security impacts all of it. Learning this language even more deeply involves becoming fluent in the different functional areas of your business—including HR, finance, sales, and marketing.

How can CISOs become fluent in all of these languages? One way is to go back to school, as I have done. Years ago I went back for an MBA and now I’m getting a doctorate in IT with an emphasis on cybersecurity. But you don’t have to be a glutton for punishment like me and go back to school; I happen to really enjoy it, and enjoy the process of learning. I find the educational background helpful, not just in doing my job day-to-day, but with public speaking, webinars and other public activities of that nature. The best advice I can offer in learning the multiple languages of business, infosec, IT and audit is to follow the old adage: “We have two ears and one mouth so we can listen twice as much as we speak.”

I find the best CISOs are great at paying attention and asking questions. Come with a humble heart. Go to lunch with someone on the infrastructure team and ask them about servers and infrastructure, about what their days are like and what kinds of new solutions they are using and considering for the company. Have similar conversations across the organization—with leaders and others in HR, finance, sales, and marketing and all corners of the business. I may sit with a business unit president and ask about their plans for the next six months. I’ll think about what they are planning and come back to them with ways I can help deliver what they want with a reduced risk posture. 

When I’m talking to the business side, I want them to see me as “the department of YES.” We don’t ever tell the business, “No.” We always come back with a way to help them generate revenue for our company. Our job is to be creative and get them to a level where they can generate more revenue without added potential for risk liability.

Key #2: Develop Your Own “R&D Team”

What do I mean by the concept of developing your own “R&D team”? Contrary to what you might think, I’m not talking about research and development related to your cybersecurity or technological innovation. Instead, it’s about developing yourself as a leader.

That kind of R&D takes forming personal relationships. This can be with CISOs in other companies, perhaps in the same geographic area, or the same industry, or like-minded individuals that you respect and with whom you are willing to share information. It can also be with think tanks, analysts, vendors and others who may have relevant knowledge, experience or contacts to share. 

You want to build bidirectional communication with these potential colleagues, peers, advisors, and mentors. You want to bounce ideas off individuals whose knowledge and experience complements yours, and vice versa. I think of it as a “personal R&D team” because it’s just for you as a CISO.

It’s important to learn to be comfortable sharing—not just your wins, but also your losses. If you’ve had a problem recently, when you talk to your personal R&D team, you may find insight and guidance in how they’ve handled a similar situation. Maybe they already invented that particular wheel, so you don’t have to reinvent it. 

There’s real value in having conversations at the CISO peer level, even if it’s just talking about how to get creative with financing, or ways to find additional budget money. I advise people to:

  • Get involved with CISO groups in your geographic area or in your industry. Reach out to other CISOs and be willing to share so you develop bidirectional relationships that can help one another. Go to dinners, hand out business cards, collect business cards.
  • Go to conferences, webinars and other industry events on a regular basis, whether in-person or virtual, and listen to the experiences and pitfalls faced by other CISOs across all industries. You may find commonalities that you wouldn’t expect; for example, manufacturing companies and hospitals both deal with a lot of industrial controls, so there is a lot CISOs in those fields can learn from one another. 
  • Communicate regularly with your personal R&D team, face to face, by email, by videoconference, whatever it takes to build a rapport so that you have a repository of people at your level that you can bounce ideas off of. If you are willing to share and learn, you will find that the collective knowledge will help you grow faster and make the work more fulfilling and collaborative.

Taking the Next Step

CISO is a challenging job, especially in today’s environment where the workplace is changing right before our eyes. Whether you’re new to the CISO job or have years of experience, there are always steps you can take to be better, and to make the job more fulfilling and rewarding for yourself.

In these two articles, I’ve identified four keys that have helped me in my career and have helped countless peers and colleagues. These are: hiring smart people, creating visibility everywhere, learning multiple languages and building your own personal R&D team.

As I mentioned in part one, there is tremendous value in hiring people with a teacher mindset. There is also tremendous value in tackling the CISO job with the same mindset. If you set out to teach, mentor, inspire and learn, you can reduce some of the stress that comes with the territory, while continuously making the work interesting and forward-looking.

Ed Harris is Global Director of Information Security at Mauser Packaging and a fellow at the Institute for Critical Infrastructure Technology.

Get the latest news, invites to events, and threat alerts

Popular Resources

Legal Notices

Popular Links

Report a Vulnerability