An essential requirement of being a Chief Information Security Officer (CISO) is stakeholder management. In many organizations, security is still seen as a support function; meaning, any share of the budget you receive may be viewed jealously by other departments. Bringing change to an organization that’s set in its ways can be a challenge (even when you’ve been hired to do just that). But whether you’ve been brought on to initiate digital transformation or to bring an organization into compliance, you’ll need everyone to see that it’s in their best interest to work together on the program.
I sat down to discuss some CISO Stressbuster tips with my colleague Abbas Kudrati who has worked as a CISO in many different organizations for over 20 years before joining Microsoft. Here are several things we identified as important to weathering the cybersecurity storms and in Abbas’s own words.
Abbas Kudrati, a Chief Cybersecurity Advisor at Microsoft shares his advice for relieving stress in today’s CISO Stressbuster post.
1. Business engagement makes a difference
My passion is for building or fixing things. My reputation in those areas means that I am often engaged to work on a new project or implement changes to an existing system. I’m a generalist CISO who works across industries, but in every role I’ve undertaken I’ve managed to get something unique done, and often received an award as well. My tasks have ranged from achieving better compliance to improving incident response plans or aligning with international standards such as CREST UK or COBIT 5.
My focus is on implementing the changes that are needed to make a difference and then finding a good successor to take over maintaining and operating a large, complex environment. My typical tenure as a CISO was two to three years, but I know some CISOs, particularly in large, complex environments such as mining organizations, where they’ve been in their role for six to eight years and running. They have a good rapport with their management; the CISO feels supported and they’re able to support the business in return. Those two things—engagement with management and reciprocal organizational support—are essential to being a successful CISO.
2. Know what you want to accomplish
It’s often difficult to gauge the state of an organization until you’re in it. Sometimes when you start a role you’ll realize how bad it is and think, “What have I gotten into?” You don’t want to mess up your CV by staying for only six months; so, you try to stick it out. But if the support and communication aren’t there, it’s not worth the stress of staying for more than two years. This is the common reason many CISO’s leave.
A different frustration can occur when you exceed targets. There have been instances when I’ve been brought on board to deliver a targeted result within three years but managed to accomplish it within 18 months to 2 years. Then in the second stage, the company says it can afford to keep it running. That’s not what I want. I want to make a difference and be planning around that; so, I can then choose to move on.
3. Hire and build the right talent
The final challenge, particularly in the countries where I’ve worked, is hiring the right talent. In the Asia-Pacific region, there’s a very competitive market for skilled individuals. In some situations, I’ve looked to use my academic connections to hire fresh minds and build them up. Not only do I get the skills I need, but I’m helping to support the development of our profession. This isn’t easy to achieve, but I’ve developed some of my most passionate employees this way.
4. Find mentors and advisors
It can be lonely being a CISO. Not many people understand what you do, and you often won’t get the internal support you need. It helps to find a mentor. I’ve always sought out mentors in the role of CISO who are doing security in a more advanced way. Don’t be limited just to finding this in your immediate location. Find the right mentor in any industry or region, and today that person can be anywhere in the world. In Australia, there are only a handful of people in organizations large enough to have a CISO at an executive level. Finding that international connection was invaluable to me.
Vendors and partners also can be a good sounding board and source of advice. I had a good relationship with the account team at Cisco and they introduced me to their CISO, who gave me a lot of valuable insights. This is something I’ve carried into my role at Microsoft—I provide our customers with the same kinds of insights and external viewpoint that I appreciated receiving in my earlier roles. Customers appreciate the insights you can provide, helping them to make tough decisions and evolve their strategy.
5. Burnout is real and career progression can be a challenge
Being a CISO is not an easy job. You’re on the frontline during security incidents; a routine 9-5 schedule is almost impossible. In the Asia-Pacific region, there are also limitations on where you can go to develop your career. Some countries are not big enough to have sufficient mature organizations that need a CISO. For example, there is a limit on how many CISO roles will exist in Malaysia or Indonesia. Australia is slightly bigger. Singapore has even more opportunities, but it’s still not on the same scale as countries in other parts of the world.
CISO’s often move on to be advisors, consultants, or even into early retirement. It’s quite common to see CISO’s retire and become non-executive directors on company boards, where their experience is invaluable. Being a virtual CISO allows you to share expertise and support, work on specific projects (such as hiring a team), share expertise, or educate an organization without being tied into permanent employment. When moving on, a CISO will often take a reduction in salary in exchange for a reduction in stress and regained family time.
For me, the move to being Chief Security Advisor for the Asia-Pacific region at Microsoft was a logical and fulfilling step. I can pay forward to customers that support that I received from vendors as a CISO. My experience and expertise can help organizations better consider the changes required to undertake a successful digital transformation.
6. Discipline and human connections are essential
There is so much disruption in a CISO’s working life; it’s important to focus on your physical and mental well-being as much as your work. Take regular breaks; go outdoors and get some fresh air. Take time for mental well-being with meditation or physical exercise. COVID-19 has underlined how important it is to connect with your family. Since a crisis may interrupt your holidays and weekends, don’t count on those times to relax.
Building your ally network both within the company and outside is essential to maintaining your sense of balance, perspective, and support. I really like the concept of allies that Microsoft fosters across different groups, backgrounds, and environments. We all need to be there to support each other. Now that the whole world is connected, we can be, too. Checking how people are and supporting them is core to managing our group stress, and has never been more important than during a pandemic. Take the time to connect.
7. Truths to remember
This is a wake-up call for organizations that may be thinking of hiring a CISO, or just looking to fill a spot in an organizational chart—having a warm body in that position is not enough. Business executive and leadership teams must provide adequate resources and give the CISO the ability to manage risk and help the business be successful. Keep these tips in mind when you’re hiring:
- CISO’s don’t own security incidents; they manage them.
- CISO’s need access to all business units for success.
- CISOs need to understand the business to be effective; please mentor them.
- CISO’s need to collaborate with their peers; so, don’t isolate them.
- CISOs need to be involved in all technology decisions to manage risks.
Being a CISO is a dream job for many cybersecurity professionals, including me. The job is stressful; however, many CISOs accept the challenges because they feel they’re making a difference. I enjoyed having that sense of purpose and leading teams toward a specific goal. That focus—and the opportunity to be part of a leadership team—is becoming a requirement for today’s modern security executive. With this in mind, how will your business optimize its practices for the sake of your CISO’s success?
To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.