What CISOs Taught Me
First off, I’d like to express how thrilled I am to join Forrester’s security and risk research (S&R) team as a senior analyst. I’ve been working closely with this team for eight years in my previous role as a principal advisor to our chief information security officer (CISO) community, and I’m honored to join the analyst ranks and dig into my coverage areas, which include incident response, continuous controls monitoring, and business strategy aspects of Zero Trust.
I’ll also be writing for the role of the CISO. After all, CISOs and security leaders taught me a great deal in eight years — and it wasn’t all about technology. I watched this role, and those in it, change over that time from IT-focused fixers to multifaceted executives with a unique and important view of the businesses and reputations they protect. It was quite a ride, and I want to thank current and former clients, many of whom I consider mentors and friends, for bringing me — and Forrester — along with you on your journeys. From you, I learned the following about what “good” looks like for security leaders of all types:
- “I don’t shine if you don’t shine.” Shine Theory, created and popularized by podcasters Ann Friedman and Aminatou Sow, is defined as “an investment, over the long term, in helping someone be their best self — and relying on their help in return.” Security leaders with strong and loyal teams practice shine theory daily. They create environments conducive to input, growth, and creativity. They demonstrate the traceable alignment of security efforts to business goals and objectives and provide opportunities for meaningful interaction with the business. They build a strong bench and make it possible for team members to find the right balance between work and home, especially when those lines blurred dramatically in 2020. Stay tuned for new research from my S&R colleague Jeff Pollard on empowering direct reports and from yours truly on the importance of succession planning for security.
- There is, in fact, an “I” in diplomacy. One of the most interesting organizational developments I watched over the last three years was the shift in spotlight away from the CIO to the CISO. This was most notable in the increase in board demands to hear directly from the security leader. Many of these leaders, used to adding a few metrics-related slides in the CIO’s deck, were daunted by this new level of attention (we held workshops, reviewed slides, and published research to help). Those who seized that spotlight and used it to paint a candid picture of current posture, gaps, and risks were met with largely positive, encouraging responses — and invitations to return the next quarter. This newfound celebrity did little to ease increasing tensions between CISOs and CIOs, and in some cases, new reporting lines were drawn and org structures evolved by security leaders willing to navigate political minefields with diplomacy and an unblinking eye on the ultimate goal: the viability of the business.
- You only get what you give. Though CISOs have been met with more open checkbooks in the last five years, they must always make decisions, as seasoned CISO Jim Routh often states, to apply scarce resources to a firm’s top risks. Budget aside, the decision to invest in a technology solution brings with it people and process changes and commitments. Security leaders making smart investments in technology are demanding partnership over transaction. They’re watching huge platforms emerge with offers that CIOs and CFOs can’t refuse, but they’re willing to fight for the solution providers they believe are truly best of breed and provide value to the business as a trusted partner. This means having continuity in key contacts, transparency, and value in communication as well as a real hand in shaping the future of the product or service.
- We’re on a shared mission. Back in April 2020, my client at a large business services firm told me he had just briefed his leadership team on the security risks and mitigation efforts associated with the pandemic. In that meeting, he was asked by his executives, “How many other CISOs did you talk to this week?” In reply, he cited a recent call between Forrester CIO and CISO clients on pandemic response as an example of the peer guidance and perspective he receives from us regularly. The mission that security leaders share is distinct and urgent. Effective security leaders seek out the experiences, decisions, and cautionary tales of their peers. They incorporate those valuable insights into their own programs. Our next CISO roundtable discussion takes place March 25, where the group, Sandy Carielli, and I will dig into the benefits and potential pitfalls of responsible disclosure and bug bounty programs.
I look forward to channeling the voices of our CISO community into my research and interactions with all our clients. I would appreciate your input and feedback as I shape my research agenda and plan future CISO roundtable discussions.