The following is an excerpt from the book "Reinventing Cybersecurity," from JupiterOne Press. You can read the rest of the book by purchasing a copy on Amazon, or download the digital version for free.
The modern Chief Information Security Executive (CISO) is a vast, strategic, and expanding role. In a world where every organization competes on technology, the CISO must balance security with risk management, productivity, and product innovation. The new CISO is much more than just a technical and tactical specialist. Instead, the CISO is a strategic business driver, responsible for solving a complex array of cross-functional challenges.
The CISO is a big and critically-strategic role. Today's and tomorrow's CISOs have a huge responsibility to become experts and 360-degree collaborators across an incredible number of business functions, while also elevating and expanding the role. CISOs must create partnerships, be intentional about talent, and embed security into business processes. Security executives must be dynamic risk managers and evolve continuously alongside the changing threat and technology landscape. The CISO role is challenging but incredibly rewarding. I hope that my experience and perspective will empower rising CISOs to become strategic executives who transform the security of entire organizations and industries.
Overview: Five Strategic Priorities for the Modern CISO
The CISO is still responsible for overseeing the success of core security functions, such as cyber defense, cloud security or compliance. At the same time, they must focus on creating new security capabilities to drive new value streams. Redefining the strategic priorities for a modern CISO means focusing on several emerging responsibilities: partnerships, collaboration, innovation, and preparing for the future.
- Build 360-Degree Partnerships
- Be Intentional About Talent
- Embed Security into Business Workflows
- Create a Dynamic Approach to Risk
- Continuously Adapt and Evolve
The role of the CISO barely existed 20 years ago, and it was very rare outside of global financial institutions. A decade ago, the CISO was a more common hire, but early CISOs were often highly-tactical technologists. Today, the CISO role is critical to almost every organization, and it's also emerging and evolving each day. I hope the following lessons I have learned about being a strategic security executive are valuable for today's and tomorrow's security leaders. The CISO's path is incredibly challenging, but also incredibly rewarding and fast-paced.
My Path to CISO
As is the case with many of my peers in the industry, I did not plan to become a CISO. While there have been a number of diverse leadership roles in tech such as Chief Information Officer (CIO) or Chief Technology Officer (CTO), the CISO role is still relatively new in many industries and continues to evolve significantly. My early career moves were motivated by curiosity and impact more than anything else. I always wanted to avoid being too comfortable in any role which continuously pushed me into new and emerging areas.
My career began as a software engineer at IBM Global Financing, where I architected and built front-end and back-end components for customer-facing financial applications. I enjoyed creating mission-critical financial apps and all that goes into it - user experience, feature development, testing rigor, service management, and oh, security.
I became curious about how to operate applications reliably, and at a global scale, which took me to the IBM CIO organization. How do you support over 400,000 employees operating in over 150 countries? I naturally progressed into roles in infrastructure engineering, enterprise applications, and data platforms where I gained first-hand exposure to performance, availability, incident management, and most importantly these days, employee productivity. I expanded into more strategic roles around technology transformation, innovation, and partnerships. These roles involved presenting to senior leaders on a frequent basis and building a skill that would become critical down the line.
Leveraging Engineering to Drive Business Growth
The roles in software and infrastructure engineering during the first phase of my career made me curious about how technical skills and functions can be applied to customer-facing roles, and ultimately, how to drive growth and revenue for the business.
I wanted to learn how to launch products, how to price, how to market, how to sell, how to get customer feedback, and ultimately, how to measure success for the business. I took a significant risk in moving away from an area where I excelled and had worked hard to build credibility; many peers and mentors thought I was crazy to start over again. But I've always felt that if a role makes you slightly uncomfortable, it's a good thing. From challenge and discomfort comes growth and skills expansion.
I moved into an organization that was being formed to look at growth opportunities in cloud, data, mobile, and security. I became fascinated with all four areas which were fundamentally changing the daily lives of consumers and the dynamics for enterprises. I ended up specializing in cybersecurity because I felt this field actually touched all the other areas!
So much investment and innovation was happening and I was glad to be a part of this 'start-up' space and get experience in helping shape a profit and loss strategy. It opened up my eyes in so many ways and helped me look at engineering through a different, business-oriented lens. I learned the ropes of market research, strategy, product management, product marketing, sales operations, financial management, and mergers & acquisitions as a means to make quick market impact. Ultimately, I became the Global Head of Strategy & Product Management for IBM's security services division, where we created new security solutions across consulting, managed and cloud-delivered services.
I spent a lot of time having conversations with Fortune 500 customers to understand their security needs in order to build better products and services for the market. One of the companies I spoke to was News Corp, who asked me to join them as CISO. My pathway to the CISO role was not straightforward. It made little sense to others around me. There was no well-defined pathway to becoming a security executive during my early career, especially compared to well-established paths to roles such as Chief Operating Officer (COO) or Chief Financial Officer (CFO). But, I'm proud that I took risks to challenge myself and that taking calculated risks created a path to CISO.
When members of my team tell me that they want to pursue a CISO career path, I help them gain exposure to more areas of the business and create a more well-rounded skill set. Future CISOs need to be proactive about receiving cross-training in as many business and tech functions as possible. CISOs must develop 360-degree expertise across engineering, product, revenue, customer success, and countless other domains to succeed in a highly-collaborative, strategic role.