IE 11 Not Supported
Chrome, Firefox, or Safari are the best browsers for optimal browsing.
What are the top mistakes I see new security leaders continuing to make in 2024, as they begin their CISO career or take on a new role? How can these challenges addressed?
Shutterstock/Rawpixel.com
Top five mistakes that new IT security leaders make
.
It may surprise you to learn that despite the many changes and advances in the technology and cyber security industries over the last decade, my advice is still relevant and these areas remain top concerns – with some new twists.
Here are the top five mistakes I made in 2013 (although I recommend reading the entire article).
1)
No” to becoming “Dr. No”
You’ve created a list, and double-checked it. You’re now ready to use the newly acquired security powers to stop all the bad things happening in your company. Be careful …
You don’t want to be known for being a “party pooper” despite the urge of the natural security leader to get out the hammer. Your goal is to be known as a facilitator of secure technology and innovative.
You are not building your professional network 360 degrees
New security leaders should think about building trusting relationships with all levels of the organization (from superiors, to peers, to front-line employees). Meet your customers. Make sure you are visible in the right circles. During the first year, get involved in key enterprise committees and working groups. Walk around. Leave the office. You’ll be glad that you did.
3) Concentrating on the inside for too long
: No public speaking, no blogging, no social media, no external committees. This area is similar with No. This area is similar to No. 2, but it is external to your organization.
Start early. It will help your team and you when times are tough. Your plan for success must include positive communication and stories of your team’s successes.
4) Poor vendor management/relationship habits: You can “fall off of the horse” on either side of this external partner problem. Some security leaders spend their entire time with companies that provide security products and services, creating road maps, lifecycle plans, new upgrade strategy, and more. They spend their time meeting with a never-ending list established companies and hot new security startups. Some people openly prefer one or two companies based on personal relationships or past experiences.
Others do the opposite thinking that they are better than others or that their biggest problem is security vendors. Vendors can take up much of your time.
5) No external mentor For some reason, new security leaders believe that they can do it alone because no one else has done the job before. Or they think they don’t need an external mentor because they have too little time.
Bad move. As soon as you can in your new position, find a mentor who is trusted and respected. It will be beneficial in many ways. Someday, you can return the favor by mentoring one or more new leaders.
Updates for 2024
What’s missing?
Most new CISOs hold the common but accurate perception that they must perform a baseline assessment of risk in their organization. Most new CISOs are correct in this regard, as it is often necessary and/or required to measure progress against metrics.
What may not be as obvious is assessing the people involved in your processes and technology. Many new cybersecurity leaders will need to be familiar with audit findings, controls implemented (or not), identity, frameworks (like CSF 2.0), and other risk area checklists.
Some “people-related tips”
1) Surround yourself by experts who can help you strengthen your weak spots and blind spots.
2) Create a team of people who work well together. It is important to pay attention to those who report directly to you. (Side note: Many head coaches in college sports and professional sports bring their staff along when they change roles. Smart leaders know the importance of trust, and how the entire organization will sink or swim depending on trust in your leadership team.
3) You can measure your progress in terms of how relationships are working on a 360-degree basis. For more information on how to do it, please see the article on how CISOs are evaluated.
The topic of building a team, which is on the minds many new security leaders, whether they are CISOs or security directors, is often difficult to achieve, especially in the current environment, where it is difficult to retain and attract security talent over a long period of time. This is especially true in the government sector, where pay, benefits and stock option are often lacking.
As I have said many times, a team of hard-working, capable security professionals is better than a team of “rock stars” in security who are excellent — , but whom I don’t trust.
Other security leaders hire people who aren’t as good as themselves, for fear of being outshined.
The point is: You can choose to support your team or not, but you should take the time to do so.
Before I conclude this blog, I would like to point you towards common reasons why all security professionals can fail. This list of CISO topics overlaps in many respects with the success and failure of CISOs.
FINAL THOUGHTS
Postings
A LinkedIn version of the article from 2013
I received many comments. Several of them were about CISOs with good management experience, but lacking in technical skills. Here was
Jean Pawluk’s comment
:
“Well stated. I am starting to see CISOs who have no technical background and who don’t even understand security become obstructions, because they spend 99% their time managing up, instead of learning the security needs of their organizations or preventing problems in the first instance. They prefer to accept almost all risks because they think that it’s cheaper later.”
My response: “Jean, I completely agree. You can fall off the horse either way. It could be a lack of technical expertise or a problem with communication between senior management and the business. In reality, the situation is more complex. There are five or six sets of skills and relationships that need to examined.
Bottom line: Every new CISO will bring strengths and weaknesses to their leadership role. We can still learn from others’ experiences and avoid the traps you are bound to face.
The GovTech Today Newsletter will ensure you never miss a story.