It’s hard to believe that I’ve just turned the corner on my first year at Forrester as a security & risk executive partner — and what a year it has been! Working with top security leaders across all types of industries and incredibly talented co-workers has been rewarding and has challenged me in the best possible way.
As I look back on the last 12 months, for this installment, I thought I would talk about a few key observations I’ve made.
My Observations From The First 12 Months
- Different company + different industry + different regulations = same job: Sure, there are differences. The regulations, specific issues, culture, and the rules you operate under may vary. But whether you’re a government agency, law firm, corporation, or a financial institution, the core tenants of being a CISO don’t change, and neither do the challenges, at least certainly not nearly as much as I thought they might.
- Focused on the business: The good news is that most security leaders I speak with got the memo on security’s purpose: being aligned with and focused on helping the business achieve its goals while reducing risk to acceptable levels.
Unfortunately, it’s also clear that not everyone outside of security did. I still hear instances of security getting a “bad rap,” being a roadblock to any number of things including customer service, customer experience, and innovation, which leads me to my next point.
- Influence, or lack thereof: If I had to call out one thing that stands out across my interactions, it would be influence. It’s the soft skills that are the most challenging and, I would argue, the most important.
Outside of specific technical or strategy-related discussions, we talk a lot about how to wield influence and the benefits of good storytelling skills. Whether that’s getting IT, leadership, departments, teams, or the business in general on board, there’s still a tangible struggle to do so effectively and consistently.
I have long since said that people are the hardest part of security, and this observation solidifies that. The impacts can be significant, including increased risk, inability to secure funding, project/initiative delays, and frustration. In some, if not many, cases, it directly contributes to burnout. To be fair, I have also seen great examples of what “good” looks like and the significant difference that it can make. Check out our research on influence and storytelling:
- Boiling the ocean: Good project management skills matter. This may seem logical, if not obvious, but it’s easy to get overly focused on the end-state objective and get subsequently overwhelmed. Consider the following:
- Define what “good” looks like and what the final end state looks like. Without this, you won’t know when you’re done or how to measure your success.
- Break the initiative into logical, manageable pieces that are easier to control and adjust, and net measurable wins along the way.
- Speaking of “wins,” identify quick wins that make an impact and show immediate progress. It’s even better if these wins benefit groups outside of security, which can help with influence.
- Define use cases, where applicable, using a risk-based approach.
- Report on and celebrate the achievements.
- Project prioritization across the company is also key. You can’t have 10 number-one top priorities. If everything is a priority, then nothing is.
- Any of the above can be adjusted along the way, but without them, you are, well … boiling the ocean.
I am sure that some, perhaps many, of you are thinking, “Geez, David, we know all this!” How right you are, and that’s my point!
For all the progress we’ve made, we continue to struggle with some of the fundamentals. I’m not even talking about basic cyber hygiene (that’s a whole other blog). Don’t mistake fundamental for easy — that’s exactly why we are where we are. It’s hard. People are hard. Personalities can be challenging, and expectations are at an all-time high. In addition to business, I have often thought that, if there was an adjacent degree or minor that would be most useful for a CISO, it would be psychology.
So that’s a wrap on year one! Don’t forget that we have the 2023 Forrester Security & Risk Forum coming up this November 14 and 15 in Washington, D.C. See you there!