The Types of CISO

The 3 Types of CISO: Know Which You Need

In “What’s the CEO Equivalent of The Peter Principle?” I posited that there are 3 kinds of CEO:

  1. Those good at starting a company;
  2. Those good at building start-ups to the point they can go public, or be acquired; and
  3. Those good at leading a company for the long-haul.

…with the theory being that unless the CEO knows which s/he is, s/he’ll eventually run a company into the ground. No CEO is really good at more than one, and I’ve met too many who aren’t good at any of them.

The CISO role is no different, and if you’re looking for one, you had better ask the right questions of your candidates. However, if you are a CISO or want to be one, then you must know which kind you are or you’re setting yourself up for failure.

What Are The 3 Types of CISO?

o

  1. The Planner: – The p-CISO comes in at the beginning of an engagement, before an organisation even knows what it actually needs. Their job is to design a security program that does the only thing it’s supposed to; support / enable the company’s business goals. The p-CISO must also write the Governance Charter, get the CEO to sign it, then implement the Governance Committee. 99% of all security programs fail at this stage, so this is perhaps the most difficult task of all.
    o
    Of the 3 types, this is the most creative, but also the least detailed oriented, which is why they probably should not try to run the program long-term.
    o
  2. The Executor: e-CISOs get things done. They take the hand-off from the p-CISO and put the agreed plan into action. While this may seem more like project management, there is a lot more to it than that. Putting a security program in place takes a shift in an organisation’s entire culture. Installing a firewall is easy, getting the CEO to accept full accountability for the ISMS is a Herculean task.
    o
    This type has the rare ability to focus on enormous amounts of detail, but is political enough to bring the people components together.
    o
  3. The Optimiser: o-CISOs are in it for the long-haul. These are the folks that take the still raw security program, and make sure it get fully instilled in the company culture and business as usual processes. They will also likely Chair or Co-Chair the Governance committee.
    o
    The most political of the 3 types, and it is the o-CISO’s incredibly difficult task to ensure that IT, IT Security, AND the business side all do their part. The depth and breadth of the position makes it one of the most difficult jobs imaginable.

Ignorance of these 3 types certainly goes a long way to explain why CISOs last less than 2 years on average. Organisations ask the wrong questions, and prospective CISOs have little concept of their own limitations.

I’m not saying that there is no overlap in these roles, there is. I’m also not saying that a single individual can’t be fairly good at more than one, they can. What I am saying is that, in practice, the skill-set required to be REALLY good at these roles is mutually exclusive. e.g. I have never met someone who thrives on creating something from scratch (p-CISO), have any interest whatsoever in baby-sitting something for the long-haul (o-CISO).

And that’s OK, you don’t just have one kind of doctor, or lawyer, why should a CISO be any different?

Unfortunately, too often the CISO role is seen as the ultimate goal in the career of a cybersecurity expert. But the fact remains that this role suits very few people long-term. Both p- and eCISOs are senior level consultants, only the o-CISO is a long-term employee.

And let’s not forget; Make the CSO Role a Board Appointment, or Don’t Bother Having One, the CISO is no different.

I’d be very interested to hear what actual CISOs think of this theory?

[If you liked this article, please share! Want more like it, subscribe!]

Don't Hate the Salesperson

Don’t Hate Salespeople, Hate the Person

[OK, so you shouldn’t hate anyone, but; “Don’t Have Significant Issues With…” is nowhere near as catchy.]

In an otherwise spot-on article by Peter Smith; “Why do we hate (our own) sales people?“, he made what I believe is a fundamental error. Especially given his premise.

He says of salespeople that they are the “…life blood of the company…”, that; “If they don’t sell, the rest of the company doesn’t work.“, and finally that “These are your top performers.“. It’s that many salespeople actually see themselves this way that causes a lot of the resentment or even hatred.

There is absolutely no questions that sales is a critical function in any organisation, but it’s not the most important. There is no such thing as a most important department. It’s like saying the heart is the most important organ in body, just try living without your liver.

Who makes the products or services they sell? Who delivers them? Who arranges all the financing etc? Who ensures the contracts are in order? Without any one of these things no company can survive. A real salesperson is only ever as good as the things they sell, and the teams around them.

I say a ‘real’ salesperson because they are the ones with both the integrity to only sell what the client needs (not asks for), and to use his/her entire support team in the process to ensure mutual benefit.

From my experience, the majority of my issues with salespeople fall into three main categories:

  1. Lack of Product/Service Knowledge: We’ve all met salespeople like this, all smiles and no substance. This is not a salesperson, this is a clown, a real salesperson is extremely well versed in his/her wares. They may not be an expert in the overarching subject (cybersecurity for example), but they know who is, and whom to bring to the table when required to answer the prospect’s questions. The best salespeople I’ve worked with are facilitators who piece together solutions by putting the right people in front of each other;
    o
  2. Selling to Their Quota: I use the word hate way too often, but I REALLY hate the American way of selling. The quota system is ridiculous, and forces salespeople into a never ending spiral of price compression and end-of-quarter discounts. You sell my time as a consultant for half what it’s worth just to reach your target and we’ll having a very short conversation. Words like ‘fired’ and ‘incompetent’ will be used liberally;
    o
  3. Selling Outside of Their Skill-Set: To me there are two types of salesperson:
    o
    Hunters
    – Very aggressive, easily bored, hates detail, DESPISES paperwork. Basically, these folks want to get in, get the deal signed, and move on to the next ‘battle’; and
    o
    Growers – Less aggressive, and tend to prefer to relate to the client on a more personal level. These are the folks who will take the initial sale and turn it into years of up-sells / cross-sells though their deepening understanding of a) the client’s business b) the client’s people, and c) the state of their security program.
    o
    Selling outside of your skill-set is a sure way to mess the whole thing up for everyone.

A real  salesperson does none of these things, and I have met some truly exceptional salespeople whom I am also honoured to call friends.

So if you hate salespeople, you either have a company full of bad ones, or you have no idea what they do. Selling is difficult, VERY difficult, and a good salesperson has a skill-set most of us cannot even hope to duplicate. As an introvert, the very thought of doing what they do every day gives me the willies. And that is just the tip of the iceberg. From research on prospective customers, to getting the first meeting lined up, to pitching an appropriate statement of work, the amount of work that goes into a sale is enormous.

From the other side, and as Peter Smith said very eloquently; “If a person is worried about having sales in their job title, then they probably do not have the right DNA.“.

Salespeople are necessary, they are NOT a necessary evil. But if you think you have what it takes to be one, try it for 6 months, 99% of you will beg for your old job back.

I know I would.

[If you liked this article, please share! Want more like it, subscribe!]

Make the CISO Role a Board Appointment, or Don’t Bother Having One

I’ve been reading a lot recently about how Boards of Directors (BoD) are starting to take cybersecurity more seriously. While I applaud this, and believe the trend can only be a good thing, in practice this is little more than lip-service.

Example scenario – Let’s assume a scenario where the CEO is not actually on the BoD:

Step 1: The Chairman, after receiving the requisite vote, will task the CEO with establishing a CISO position;

Step 2: The CEO tasks the senior IT person in the company (usually the CTO) with finding a suitable candidate, and;

Step 3: The CTO hires someone who ends up reporting directly to them.

Any one of these step by itself is a mistake, but all three combined will result in the CISO role being nothing more than smoke and mirrors, or an empty suit. Having a CISO in this scenario may look good on paper, but they will be utterly ineffectual.

Per Steps 1 & 2 – Instead, if the BoD make themselves accountable for the CISO role, they will have no choice but to do some homework. They won’t know the right questions to ask, so they have to find someone(s) who can. Few people I have seen who make it to the BoD level don’t have significant networks and/or support teams to tap into. They should use them.

The added benefit of having the BoD take such an active role in the CISO selection is they will have a much better understanding of what the person filling the role will actually be doing! Watching CISOs ask for budget from BoDs is a painful experience at best, and with just a little background the BoD can begin to speak the same language. The right CISO will already be familiar with the conversation in the other direction.

Per Step 3 – Having a CISO report to a CTO is as much use as hubcaps on a tractor, even reporting to the CEO has its limitations. While there is no way the BoD would/should take an active day-to-day role in the running of the company, having the CISO dotted-line into them gives them the authority to perform their function properly. Anyone who can be fired out of hand for saying things the CEO doesn’t like will likely say very little. And let’s be clear, an ‘open-seat’ CISO will have a LOT to say.

In effect, the CISO role is very similar to Internal Audit. They are certainly answerable to the CEO for the majority of their function, but their jobs are not [necessarily] at risk if the findings are not what the CEO wants to hear. The dotted-line into the BoD makes all the difference in the world.

All that said, the CISO role is a very attractive one for most security professionals. It’s often seen as the ultimate goal, which is why new CISOs have a VERY short life expectancy in their first few gigs; THEY don’t ask the right questions.

As things currently exist, there are only 3 questions a good CISO can ask before joining an organisation:

  1. Can I talk to the CEO? – [If No, walk away.]
  2. To whom will I be reporting? – [If anyone lower than the CEO, walk away.]
  3. Does IT Security have its own budget? – [If No you’ll likely spend most of your time begging for resources. Proceed at your own peril.]

Much like the CTO, a good CISO can be one of an organisation’s ultimate enablers, assuming they have not been hamstrung before they’ve even started.

[If you liked this article, please share! Want more like it, subscribe!]

Manager or Leader? I’ll Take The Third Option Please

Have you ever noticed that a lot of organisations purporting to embrace change and innovation end up hiring the same type of people who are the majority cause of their current challenges?

‘Talent acquisition’ is much like the famous [mis]quote by Henry Ford; “If I’d asked my customers what they wanted, they’d have said a faster horse.”. By sticking to standard job descriptions and not looking for PEOPLE to fulfill the leadership’s vision, companies will get what they ask for, and not what they need.

I’ve never seen a job description yet (that wasn’t written by me, FOR me) that did not set me up for failure before I even began. There are people much better at certain things than me, and who may actually enjoy doing them, why would you give those things to me?

Worst of all, above a certain level of seniority, you wind up being lumped into one of two categories, and if you’re REALLY unlucky, both; Leader and/or Manager.

What if you’re neither?

Here’s a little experiment I conducted:

I typed; “books on leadership” into Google and got >271,000,000 hits. If even 0.1% of those are ACTUAL books, that’s 271,000 books on leadership, some of which may even have been written by a true leader. Possible, but unlikely.

Then I typed “books on being a manager” and got >170,000,000 hits If I apply the same criteria as above, that’s another 170,000 books to plough through.

Finally, I typed “books for neither a manager or a leader” and these are the top 5 hits;

  1. 3 Things That Separate Leaders From Managers – Business Insider
  2. Managers and Leaders: Are They Different? – Harvard Business Review
  3. Why All Managers Must Be Leaders – Forbes
  4. Leaders and managers, leadership and management … – CIPD Courses
  5. Why Managers Can’t Lead and Leaders Can’t Manage

OK, so I’ve completely tipped this in favour of the point I’m trying to make, but not ONE article on the first 5 pages of hits gets close to what I’m saying, which is;

People who are very good at what they do don’t need to be a Leader or a Manager, they need a great leader in whom to believe, and great managers to get the right people on board.

My favourite phrase on leadership is on www.despair.com; “Leaders are like eagles, we don’t have either of them here.”. The same could be said for managers, both leadership and managing people are talents not skills, and the really good ones are equally rare.

What if the skills you need, even temporarily, are actually in someone who’s neither?

A good leader has specific attributes that VERY few people have (hence LEADer I suppose), and I truly believe leadership is not something you can learn.

A good manager is, to me, someone who can recognise the talents and skills you HAVE, not the ones they either a) think you might have, or b) want you to have, or c) need you to have for the job at hand.

Focusing on these 2 senior-level talents ignores the vast array of other talents that require neither of these attributes to provide enormous benefit. Call them subject matter experts, gurus, trusted advisors, or a whole host of meaninglessly clichéd names, what you get is the same; someone who can take the leader’s vision, and translate it into something the managers can act upon. Leaders usually can’t manage, managers should rarely lead, and neither has the necessary talents / skills / knowledge to bring the vision to life.

So if you have failed at fulfilling either of these roles (as I have many times), maybe they are not for you. But what you DO have could be of equal importance, if you know what it is.

No one likes to think they’re not a good fit for a senior position, but there’s little reason to extrapolate one or two bad ‘corporate’ fits into the rejection of an entire line of opportunities. Just make damned sure you ask the right questions up front. No you can’t guarantee an honest answer, but hopefully you’ll know pretty quickly if they sold you down the river.

[If you liked this article, please share! Want more like it, subscribe!]

From Corporate, to Start-Up, and Back Again

In 2013 I was made redundant from a company where I had worked for the previous 12.5 years. I had grown with the company from the 14th person to join (as a firewall admin) to a position leading 28 people across 14 time zones in a company of over 1,000.

I subsequently discovered that I was basically unhirable, so I started my own consulting practice, which I thoroughly enjoyed. I then joined a very small start-up for a year, which I thoroughly enjoyed, and went back to my own practice.

I swore up and down that I would never go corporate, ever again. I convinced myself that there was never enough freedom, or room for innovation, or ability to make a difference in a large organisation to EVER go back. Not that ‘corporate’ would ever have me back.

Now here I am, at the end of my 3rd week at an organisation that is bigger by far than any I have ever worked for previously.

…and I’m thoroughly enjoying it.

Many times in the course of my blogs I have expounded on the need for self-reflection, on being honest with yourself enough to know when something was entirely your fault, and to adjust your career choices accordingly. Well clearly I had mistaken ‘corporate’ for my own inability to effectively create the change needed to stop me from being made “redundant”.

While I’m not saying I now have that ability, as I will always have a big mouth, when you’re in an organisation who ALL seem to want the change you’ve craved your whole career, it’s a feeling unlike I’ve ever experienced at work. I’ve never needed, or even particularly wanted, to be part of a team growing up, I now find myself in one.

…and I like it.

Frankly I’m not even sure why I’m writing this blog, except perhaps as a tip for those who find themselves in a position where they cannot decide on what’s the right place for them to work. Corporate, start-up, self-employed, or somewhere in between. Every one of my jobs had its benefits, and had its downsides, and I’m under no illusion that this one will be the same. The only difference this time, is that I have now seen both sides of the fence.

It’s not the fence that matters, your skills and talents have no fences.

The only reason I think that corporate fails to attract the truly entrepreneurial is that they are still very attached to job titles and descriptions, effectively pigeon-holing a person into a role that will always limit them. It’s the organisations that go looking for talents to fill known functional gaps, but then get out of the person’s way, that will attract the game changers.

Not saying I’m a game changer, but my title was only assigned to complete a field in the HR system, and my job description was a run-down of the challenges my new organisation was facing. And in just 3 weeks I have not only learned more than I did in the last 6 months, I have a learning curve ahead of me for which I can see no end.

I loved running my own business, and have no regrets about the start-up, but this little adventure is a revelation that has me very excited for the future. And the lesson I learned from all this?;

Don’t limit where you look for your next job, just ask the right questions.

[If you liked this article, please share! Want more like it, subscribe!]

[Ed. June 2016: Clearly this gig did not work out, but I am still not against trying again for the right organisation.]