Whether they're earned or not, there are certain stigmas associated with chief information security officers: They work in isolation, with only a vague sense of how various departments contribute to the organization's greater good. Does this describe you and your team - even just a bit? Or more so? If you concede that it does, that's a good thing. Improvement requires change, which is sometimes uncomfortable, because change starts with you. For CISOs and their teams, that means transforming into ubiquitous advocates for cybersecurity - and then leading the transformation for everyone in the enterprise into advocates for the same. CISOs will thrive within this change by focusing on input, empathy, and alignment. This will enable lasting success for the shift by allowing CISOs to fully identify and understand information asymmetries throughout the organization and then remove them to clear the path to optimal communications and awareness. Assigning Tasks to the Wrong Subject Matter Expert CISOs are responsible for an extremely wide scope and frequently deal with high stress - but are consistently biased toward taking action themselves. They lead the organization well, but at times miss opportunities to leverage SMEs' soft skills to optimize resolution. As leaders, it is necessary that CISOs remain cognizant of the balance between SMEs' skill sets, shared values between them and the target organization, and the true goal of this collaboration. The solution requires raising engagement between security and the enterprise across the board, building relationships that ensure the right expert is assigned to the right issue to give the right support. CISOs must rely on the people around them to truly know what is going on. By interfacing with external teams, CISOs create contacts that result in the effective ingestion of information and the proper application of personnel and responses to the information. Failing to Tie Actions to Organizational and Business Goals If CISOs don't connect their work to broader goals, it's pretty much impossible for non-IT managers and employees to appreciate the value of their actions. CISOs know why certain controls and responses to threats are needed. They can never assume those outside their team do. Because I've invested that time - to find out what they do every day, along with their strategic goals and challenges - I gain their trust in myself and my team. Executing Without Making Broad Impact I push my team members to constantly ask themselves: "Am I implementing a fix that benefits people outside our team? Or am I just trying to make my own life easier?" Obviously, we seek to achieve the former and avoid the latter. "Everyone has a plan," boxer Mike Tyson is credited with saying, "Until they get punched in the mouth." If we work within security silos - isolated in our knowledge, dogmas, and execution - every security issue is like the first time in the ring, and we consistently take punches that we have little understanding of how to handle. If we proactively pursue empathy and alignment as part of our core values, we gain a level of trust that builds pathways throughout the enterprise. Subsequently, we can remove those informational asymmetries, elevate the conversation across the organization, and lead strategically.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000