Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today's episode is something special for us and we hope for you as well. It’s hard to believe it but CISO Tradecraft has been producing episodes for about two years now. This is our 100th episode! We've covered quite a bit of ground over that time, and we thought we would do a little reflection on our previous episodes and highlight seven differentiators that set World Class CISOs apart from others. So, stick around and learn these seven tips that will enable you to enhance your CISO Tradecraft and help you have a more successful career.
- The first tip we want you to understand is that you must always help others to understand your viewpoints through Connection. Now there is one thing to note: the way you connect depends on the size of the audience. We observe that there’s usually three different audience sizes that you will connect with: Individuals or 1:1, Small Teams (between 2 and 20), and Large Groups (more than 20).
- With Individuals it’s all about building the one-on-one connection. An example of folks who excel at building connections are spies. Spies have a mission to build connections with others and recruit them to share important information. Now if you go back to Episode #84, we brought Robin Dreeke on the show to talk about Building Relationships of Trust. Robin was a long time FBI agent who excelled in recruiting and turning Russian spies. In the episode, Robin talked about the key to building relationships of trust. He mentioned four key recommendations:
- Seek the thoughts and opinions of others;
- Talk in terms of priorities, pain points, and challenges of others;
- Use nonjudgmental validation (i.e., seek to understand others without judging); and
- Empower others with choices and give them the cause and effect of each choice.
There’s a lot more detail in that episode, so be sure to check it out if you haven't yet listened to it. We would like to add one more key point to these thoughts from Robin. It’s about seeking the thoughts and opinions of others. You might be thinking to yourself, how do I connect with others, so they actually tell me their unfiltered opinions? Jim Lawler, a 25-year veteran CIA operations officer came on Robin’s Dreeke’s Forging Trust podcast and provided a very interesting quote, “You don’t recruit people when you are in transmit mode. You recruit people by listening.” Therefore, find ways to listen with great questions. Imagine if you asked these three powerful questions from Andy Ellis:
- What is the stupidest risk that we are not taking care of that no one has dealt with?
- What is the dumbest security control that gets in your way?
- What is something that you wish we did better in security?
Now after you ask those three questions, take Jim’s advice, and just listen. We mean to actively listen to every word coming off of the other person’s lips. Don’t just listen for the purpose of responding right away and providing your opinion and guidance. Remember, good listeners are very hard to come by. It’s uncommon to find people who really take an interest in others. So, listen with the purpose of understanding what the other person wants, not what you intend to say back. When you care enough to truly listen, people feel heard, which generates a connection.
- Small Teams - In addition to listening with others you will often need to connect with small teams. This might be your executive leadership team. It might be your boss and your peers. To build connections with small groups you must enable Conversations of Candor. If you haven’t heard of the word candor it means the quality of being open and honest in expression or frankness. Here’s two examples of doing that:
- On Episode #27, we talked about how the Boy Scouts use the concept of Roses, Buds, and Thorns. For those who were scouting leaders, after each campout you would talk about what’s going well (i.e., roses), what new ideas are working (i.e., buds) and what are the things you want to stop (i.e., thorns). By consistently asking these questions in each of your staff meetings, you enable everyone the opportunity to speak their mind. They have a venue to speak up. Now if you really want to connect with small groups and build trust, then please act on their guidance. If someone says a particular person isn’t responding, reach out to that other individual and say, "I would appreciate if you could assist so-and-so with this problem." You're using the power of your leadership position to influence this other person. When you step in for your team and work to help them, they will consider you as a good leader who helps his or her people. [Navy story] By doing this, you enable trust and strengthen connections.
- Another example of creating conversations of candor is problem framing. Note you can learn about all the steps in problem framing from Episode #14, How to Compare Software. Now in today's discussion we're not talking about software but about people, but in that episode, we talked about the importance of applying problem framing to understand limitations and politics. The first two steps of the seven in that methodology were defining the problem and stating the intended objective. To best solve problems in an organization, it’s important everyone agrees that something is a real problem worth focusing on. If each person has a different problem in mind, then there really isn’t going to be any meaningful agreement. Start by getting consensus -- we all agree this is the exact problem we are solving today. Once the room agrees on a problem, you need everyone to agree on an intended objective. You can think of these as SMART goals. You know the acronym: specific, measurable, achievable, relevant (or realistic), and time bound. For example, let's say that today our organization is unable to retain quality talent. We see many of our best and brightest going to other companies for more money. So, your organization creates an intended objective. For next year, we will seek to retain 80% of our employee population throughout the year that are not retiring. This metric will enable our company to measure ourselves each month to see if we are successful and will allow everyone to connect by working together on the same issue. Naturally, there needs to be resources allocated to achieve this goal; but if you have this stated objective in place, you're much more likely to set up your organization for success.
- Large Groups- The last audience size is large groups. In large groups you don’t have the opportunity to connect with everyone and have detailed conversations. Additionally, with over twenty folks it becomes very difficult to have a conversation with everyone being able to provide their opinions and feedback. So, for this audience, we recommend using gamification techniques to build connections. Most executives are competitive. We have all been involved in friendly competitions growing up as well as many of us have played some type of organized sport. So, if we can create a game that increases active participation, provides immediate feedback, includes dynamic interaction, has competition or novelty, and improves a company’s ability to achieve a goal, then you are on to something truly special. If you would like to learn more about gamification concepts and the four player types that you need to support, please check out Episode #65 which is entitled, "Shall We Play a Game?"
- The second differentiator of the seven used by World-Class CISOs involves understanding how to build an effective metrics program that drives ownership and accountability. If there isn’t someone accountable, then chances are the project is going to fail. So, we need to have an accountable party and a good metric to show progress. Remember, that which gets measured gets done; that which gets done well gets funded again. To create good metrics, we want to you use the 4 Lines Approach. Every metric needs a start line, a trend line, a goal line, and a timeline.
- A metric needs to have a Start Line to show the current status of where the organization is right now. This allows the accountable parties to have a scoreboard. You can think of playing a pick-up game of basketball. If you are just playing for fun, people might not play their best. However, if you put up a scoreboard, suddenly it becomes competitive, and players put forth a little more effort. This helpful competition increases individual as well as team productivity.
- A metric should have a Trend Line to show how things have gone over the past four months. Are things getting better, getting worse, or staying the same? This tells management when something is going wrong, because negative trends indicate we need to change our course of action. For example, if we see that the number of high and critical vulnerabilities on our SOX applications continues to increase, then we need to identify the root cause. Are there enough resources on those teams, is something wrong from an architecture perspective, are our vendors not giving us the support we need, and so on? If you are not watching the trend line, you will miss identifying when things are forecasted to go bad and end up taking corrective action much later than you could have.
- Metrics need a Finish Line- This is a goal that the organization is targeting. It has a clearly defined definition of done. For example, let’s say we really care about ransomware and being able to restore critical applications from offline backups. We need to be specific on our restoration capabilities. If a server goes down do we have 4 hours, 8 hours, 24 hours, or more before it catastrophically impacts the business? This matters since the business is going to have to both recreate all of the data lost in that amount of time as well as account for loss of operational efficiencies when key IT systems are down. Compliance can have a big impact on this as well, so make sure you know your requirements.
- Metrics also need a Timeline- We need to set a time to which we hold people accountable for reaching the finish line. Goals or definition of "done" might go on forever, which isn’t what you want. You want results and that comes from accountability. Therefore, ensure every task has a clear owner with a clear deadline. Note if you want to hear more about these four lines, please check out Episode #69 on aligning security initiatives with business objectives.
- The third differentiator of seven for World-Class CISOs is understanding the shift between being competent versus being effective. On Episode #62 entitled Promotion Through Politics, we talked about the four major phases in your career and the different skillsets you must display to get promoted. At first you are an individual contributor. In this role you get promoted by demonstrating technical skills. This phase usually lasts several years, and if you are proficient in your area of expertise, you'll get promoted to first line manager. [If we use the Navy as an example, if you're a skilled pilot you'll compete well for promotion to Lieutenant Commander, or Major in the non-sea services.] Here you must demonstrate your management skills -- executing to budget, managing paperwork effectively, meeting deadlines. If you learn and do all this well, you get to become a manager of managers and are welcomed into middle management. [Back to the Navy, if you do well as a department head, you'll be a strong candidate to promote to Commander (or Lieutenant Colonel) and select for Executive Officer or Commanding Officer.] This is where you must demonstrate leadership skills -- inspiring and strengthening your team, setting and achieving stretch goals, accomplishing your mission through innovation. [Today, less than half of those officers will be offered a promotion to Captain (or Colonel.)] If you've seen the Top Gun Maverick movie, you'll see that Tom Cruise's character as a Captain does all of these things -- he portrays a seasoned leader building a team, teaching teamwork skills, inspiring confidence, and leading by example rather than just playing a hotshot pilot competing against his peers as he did in the first movie (although he still is the best of the best in the cockpit, but I don't want to spoil any of the plot if you still want to see it.) This is where you get some of the most rewarding opportunities in your career -- leading men and women in accomplishing great tasks. Many careers top out here. Brigadier General Jeremy Horn writes in his article, The 10 Secret Rules of the Colonel, "Colonel is the last rank that you can make through personal effort. Everything from here on out is luck and timing." He's right. Invitations to the executive suite, known in the military as Flag Officer, requires excellence in your record, your reputation, and your relationships. If you want to read some more of my thoughts on that topic, look up my article on Running Up the Flagpole. Finally, if you are lucky and haven’t burned too many bridges you get welcomed into the executive level. [In the Navy, that would be promotion to Rear Admiral (Brigadier General), a selection rate by the way that was less than 1% in my community. Think about that -- 99% of Navy captains retire as captain. Essentially, you can consider this as your terminal pay grade. That realization does one of three things -- there are a few that hit cruise control and are on what we call the ROAD program -- retired on active duty. The majority work well in their roles and serve honorably and effectively while looking for a good civilian job to transition out of the military. But for a handful of us, it became "no fear" -- leadership couldn't hold not getting your promotion over your head if you took a risk and lost, so you go for things that are considered impossible and make them happen. [pin on story] If you consider some of the names you might remember from the military -- Colonel John Boyd's OODA Loop -- observe, orient, decide, and act; Colonel David Hackworth, the most decorated officer from the Korean War and the Vietnam War with two Distinguished Service Crosses, ten Silver Stars, and eight Bronze Stars -- they retired as Colonels, not Generals]. In this final career phase at the very top, it's not about leadership, it's all about politics. Leaders show their political acumen to get recognized as being able to serve at this level. Those who do not understand this think they're just brown-nosing, but it really is a manner of virtue-signaling, IF done at the right point in one's career.
Now as you are moving between levels in your career there’s one subtle thing that we want to you understand about executives. It’s this concept of being competent versus being effective. When you are in an individual contributor and first line manager roles, you must be competent. For example, a pentester who can’t go hands-on to the keyboard to find vulnerabilities isn’t providing much value. A firewall engineer who can’t change the access control rules isn’t helping. You must display competence. However, by the time you are a manager of managers you aren’t touching a keyboard much anymore. So, your competence isn’t as important. It’s important you know what good looks like so you can provide your team guidance. However, your ability to troubleshoot a firewall is probably behind you. You need to make the shift to focus on effectiveness. Instead of improving only yourself, you need to improve the effectiveness of the people assigned to you. If you could make everyone 100% more productive, then that is like having twice as many people on your team. Here’s another example. There was a company that hired a CISO who wasn’t technical. He had never had traditional cyber security roles such as running a Security Operations Center, building a compliance organization to keep auditors happy, or implementing antivirus and firewalls. However, this CISO was really good at connecting with others and getting resources. After meeting with all the technical experts within the cyber organization, he learns they needed funding. So, he plays a round of golf with the CEO and gets the resources necessary to increase the team size to the appropriate levels. Later on, he gets asked technical questions by the CIO about why the application security tools have so many false positives. He responds that he will discuss this concern with his technical experts. Later on, he brings those experts into a meeting where they brief the CIO on why the AppSec tools have issues and the recommended way forward to fix them. This resolves the CIO's concerns. We mention this story because the CISO was not competent as an application security expert. However, he was extremely effective in his role. Of course, competent CISOs can do more, but the main point we want you to understand is at the executive level you need to spend your time learning how to get things done more effectively, and you do this by enabling (or coercing) others to accomplish the work, not by becoming increasingly competent as a technical contributor.
- The fourth differentiator of World-Class CISOs is they are amazing communicators. Who wants to listen to a boring presentation? The answer is no one. So don’t be that type of speaker. Imagine you are a world class communicator that your CXO peers love hearing from. That type of speaker is going to get invited to talk again and again. When that happens, you get the opportunity to influence, to change behavior, to discuss high priority risks, and to be seen. This is all goodness. On Episode #61, we talk about presentation skills and how to give great presentations. We discuss a JP Phillips Ted Talk that explains if you want listeners to remember your talk, try adding a cliffhanger. If you want to build trust with a team, then tell something vulnerable about yourself. Finally, if you want people to be focused and relaxed, try being overly dramatic or funny. Also don’t just try to communicate via email and PowerPoint. On Episode #75, Avoiding Death by PowerPoint, we talk about using escape rooms, tabletop exercises, and polls to create unique experiences that others will enjoy. Mix it up a little and you'll improve your ability to influence others.
- The fifth differentiator that sets up World-Class CISOs for success is they align security initiatives with business objectives. In Episode #69 we talk about profit generation, cost reduction, service enablement, and customer and market outreach as the four key objectives that build profitable growth for businesses. To best learn the business objectives and build relationships of trust with the C Suite, you need to learn how to partner. We give detailed explanations of this process in Episode #70, Partnership Is Key. One example is the marketing department. They often direct where the IT organization needs to build its next webpage or widget. However, marketing folks are often not technical. Now imagine if you are the CISO that really gets on well with them. So, you and they both partner together to identify a way to send marketing material via text and social media platforms such as TikTok, WeChat, and others. Marketing estimates this will create millions of dollars of new sales. So, the marketing team, the CIO, and the CISO brief the CEO and CFO to ask for an additional budget to perform this effort. The CEO and CFO hear the business case and listen to the CIO saying this can be built in a six-month time frame. The CEO and CFO also hear from the CISO that this can be done securely. After due consideration, they approve the funding request. Guess what? That’s a big win for the company. Since you were involved early with marketing, you also have the greatest opportunity to design security correctly on the new solution, versus being asked to approve something the week before going live. So, find ways to connect through partnership and always focus on enabling business objectives.
- The sixth differentiator that sets CISOs up for success is they can create effective risk governance and management processes within an organization. The business must see that cyber is a business risk and not just an IT risk. For example, when system XYZ is unavailable, how does that affect each of the users of that IT system? What business processes fail? What are the potential impacts on revenue and customer service? This is why cyber risks need to be acknowledged by both the business owners who can identify the consequences of downtime and the IT maintainers who can actually remediate the findings.
Now one important thing to remember is approval authorities. For example, who in the organization has purchasing authority for two million dollars of software? Can any manager do this, or does it need to receive approval from a director, vice president, or senior vice-president? A quick conversation with the CFO can confirm spending levels. Once you know the spending authorities, then you can make a comparison that accepting two million dollars in cyber risk is the same as approving two million dollars in additional spending. If a third-party risk assessment identifies two million dollars in new software risk, then the business must acknowledge the risk by either moving forward, rejecting the software, or finding a way to remediate the vulnerability before using the software. Remember, the purpose of cyber isn’t to say "no." The purpose of cyber is to be in the business of revenue protection. Cyber protects revenue when the business owners can make business decisions in their best interest. Most business executives will not understand the likelihood of a system being compromised, but that’s where cyber can show real value. Cyber can communicate the vulnerabilities within systems to the business in risk committees and governance boards. This allows cyber and the business to document the risk decisions being made. When you document discussions and decisions based on risks and money, then you are acting like an executive. This is the way to success.
- The last world class differentiator for CISOs is they are successful in their jobs. Want to know how to set up for success in any job? If so, then please follow this piece of advice. You must accomplish three things:
- First you need to get the job done. If others refer to you as a "closer" for finishing the job, then you build trust. When leadership knows they can trust you with little things, you get bigger responsibilities. Mission accomplishment is the coin of the realm.
- The second thing to being successful in any job is you must cover all the angles. Never let an overlooked detail derail you. Good executives run efficient programs and projects that finish on time and within budget. When things don’t go as forecasted there should not be big surprises to anyone since you keep a close watch of the details. If you keep track of the details and think things through, then you can be successful. You can succeed in this area by creating a culture of no-fear, specifically of not shooting messengers. Are your people confident they can come to you early with potential issues for situational awareness, consideration, or possible resolution? Can even your most junior person speak up and point out what might be a problem? If it isn't, don't cut them down, but patiently point out that that issue is already covered, but thank you for keeping your eyes open, and if you see other potential problems, continue to speak up. You make better decisions when you don't have people afraid to bring you bad news. I think we can all imagine a global leader today that none of us would want to approach saying things aren't going well and according to plan. Don't be that kind of boss.
- The final and most important thing to succeed in any job is to keep the customer happy. Remember, if the customer isn’t happy, then it doesn’t matter what you have done. The key thing to remember is determining who is the customer with every project. Sometimes it’s your boss, sometimes it’s the business, sometimes it’s actually an external corporate customer. If you know who that is and you keep them happy, then you usually have a high probability that you will stay gainfully employed.
Well, we hope you have enjoyed listening to the seven ways world class CISOs set themselves up for success. Let's recap:
- They focus on building connections;
- They leverage effective metrics programs that drive ownership and accountability;
- They know effectiveness is more valuable than being competent at the executive level;
- They are great communicators;
- They align security initiatives with business objectives;
- They create effective risk governance and management processes; and finally,
- They practice the three tips to be successful in any job.
If you want to learn more great tips on being an effective CISO, please take a look at our GitHub Page which lists each of our podcast episodes under ten high-level topics. Also note there’s a link to each of the episodes we mentioned in our show notes. And finally, if you learned something that you like, please help us celebrate one hundred episodes of CISO Tradecraft by leaving us a 5-star review on your favorite podcast platform -- those ratings really help us reach other security leaders. The more CISOs we can help, the more businesses we can protect. This is your host, G. Mark Hardy. Thanks again for listening and stay safe out there.