Being CISO: Part 1

Throughout 2023, we had the privilege of talking to top CISOs and other cybersecurity leaders about their work. Those conversations taught us a lot – not just about the technicalities of cyber, but also about the human experience of working in the sector. 

In this two-parter we look at what it means to be CISO. First, let’s explore the deepest challenges faced by the people in charge of protecting organisations and users from cyberattack. And then in part two, we’ll look at why cybersecurity can be such a fulfilling space in which to build your career. 

Keeping up with an ever-changing cybersecurity landscape

Cyber never stands still. Because it isn’t just ‘cyber’ – it’s a sector that’s affected by every other sector around it; that’s influenced by regional and global geo-political events; and as a result of the digital transformation, it’s closely tied to the success of national economies. If cybersecurity isn’t working, then (almost) nothing does. 

That’s why Gram Ludlow (SVP, CISO at Marriott Vacations Worldwide) said that “keeping up with the dynamic landscape of security is a challenge for all security professionals.”

“As a CISO,” he added, “I seek out opportunities to hear from thought leaders and security practitioners so that I can bring a fresh perspective into my own security program.” 

Bjørn R. Watne (SVP and CSO at Telenor Group) said, “These days geopolitics are playing a much bigger role than before also in my field. Sanctions make it difficult to follow-up on supply chains, and new regulations like DORA and NIS2 put more strict requirements on how we do initial risk assessments, that we to a larger degree include any involved third-parties, and that we are more diligent in reporting incidents and vulnerabilities.”

And Michael Montoya (CISO at Equinix) noted that just as the landscape changes all the time, so too does the role of the cybersecurity leader. 

“The role is shifting,” he said, “we are entering the second generation of the CISO profession and now moving from Technical Operators to Officers. This transition requires our function to be Risk Leaders and Business Leaders. Our roles require us to accept we cannot stop all risk but need to help our companies manage risk in a way that helps empower innovation while building systems of resiliency that are designed to fail and secure by design.”

Gary Hayslip (CISO at Softbank Investment Advisers) echoed this – emphasising that cybersecurity is a discipline. “It’s not just taking a couple of classes or completing a college degree and then you are in this new job.”

Instead, “Cybersecurity is a field of study incorporating extensive soft/technical skills & experience. Couple that with the fact it's continuous, working in this field you are always ‘on’ there is no time you are going to walk into work, and everything is secure, and you have nothing to do. Working in this field you must continually educate yourself on new technologies, new threats, and new risks. Working in this field you must get the basics right every day, every time, again it's continuous, and takes focus and discipline to be effective.” 

Intense expectations drive a high-pressure environment

Sam Curry (CISO at Zscaler) said,

“We are under tremendous pressure and strain, and the biggest problem is dialog with businesses who think we are technologists first. We need better dialogue and not just to live with risk. We require improved communication and cannot simply tolerate risks. High levels of burnout and widespread issues like overeating and a sedentary lifestyle are prevalent.. Taking the time to be healthy and social and active and taking the time for self-care matters!” 

When we spoke to Lance James (Founder and CEO at Unit 221b), he pointed out that the structures of cybersecurity work can have a negative impact on mental health and the enjoyment of work. 

“Unfortunately, our industry often suffers from imposter syndrome,” he said, “where individuals feel like frauds or believe they aren't good enough. This issue arises from constant comparisons to others, which the hacker community and hierarchical tech environments inadvertently reinforce due to their achievement-based structures.”

Megan Samford (VP and Chief Product Security Officer for Energy Management at Schneider Electric) explained the pressures of cybersecurity by likening them to the field of disaster science. 

“When I first started working mainly in cyber I tried to convince myself that it was very different from the emergency management world I came from,” she said. But over time, “I’ve found that really both are just disaster sciences, although cyber doesn’t yet know it is! The foundations of what it means to protect something are the same – they’re just expressed through different threat models and control points.” 

And within all of the expectation and pressure, cybersecurity is still hard to explain to people who don’t actually work in the sector. So CISOs are often battling to make themselves heard by other organisational leaders – at the same time as carrying the weight of their critical work. 

Dr. Kenneth Geers (External Communications Analyst at Very Good Security) put it like this:

“Cybersecurity is hard to quantify – and therefore to justify. Some lucky organisations may never experience a targeted attack, and as a result, they may wrongly conclude that cybersecurity is not worth the investment. However, as soon as that same organisation grows big, rich, or important enough to land in the crosshairs of an advanced attacker, it may be too late.” 

All challenges are compounded if you don’t have the right team behind you

Matt Lemon PhD (CISO and VP of Cybersecurity at Huawei) said that “currently, the biggest challenges are recruiting and retaining the best people.”

“It takes time for people to get up to speed in a new business and it is sometimes like a revolving door of team members. We also have the same challenge as many other multinationals which is the cultural differences within the different areas of the business. If people work in a truly collaborative way then that challenge is often more of a benefit than anything else, helping people to see and understand things with a different perspective.”

And the importance of a high-performing team came up again and again in our conversations with cybersecurity leaders. Makesh Chandramohan (CISO at Aditya Birla Capital) said: 

“Build a strong team, provide them with best in class training, empower them.” Offer them clear guidelines on their roles and responsibilities and ensure that your organisation has robust governance and effective communication across all levels. 

And finally, “be focused.” Because the cybersecurity sector is full of new products, threats, and fresh distractions; and you have to stay connected to your most important objectives.