3 CISO's Walk Into A Startup...
A story of how three different people can react in different ways to the same situation...
I was watching a video on beekeeping and how three different groups of beekeepers came to 3 different conclusions on the same beehive. The answers were very surprising and touched on emotional intelligence in a way I had never considered in beekeeping.
It really inspired me to write this short story and definitely relates to what I see in the field everyday.
Three CISO’s walk into a startup…
The first CISO comes home, complains about what they have seen at the company and is worried nothing will get done, calls the CEO and complains about everything they saw and how much of a mess it was. They get fired on the spot. 👉🏼
The second CISO comes home, is so worried that the company is about to get hacked, and jumps back onto LinkedIN looking for another job before the hack happens under their watch. 👀
The third CISO comes home, calls her boss, the CEO, and tells her there is a lot of work to be done and to be prepared, but that it’s an excellent opportunity to get it right. The CEO backs them up. 👍🏼
"CISOs should remember that no company in history has ever been fully secured. Measured risk enumeration and prioritized remediation is the key to both excellent performance and sanity in the role IMHO.”
CISO’s Need To Be Resilient
Things may not go your way all the time, but you will need to weather through the tough times. If you do your job correctly, there is definitely a light at the end of the tunnel. Then you go do it again at another place.
I was watching Chris Hadfield’s Masterclass on Space Exploration and he spent a whole chapter on the risks of space exploration. With great reward, there is great risk. There are inherent risks that must be acknowledged, things will go awry, but it’s not a reason to give up or be in despair.
A friend of mine, Erik Cabetas founder of Include Security, summed it up pretty well: “CISOs should remember that no company in history has ever been fully secured. Measured risk enumeration and prioritized remediation is the key to both excellent performance and sanity in the role.”
CISO Must Exhibit Self Control
The CISO is often the Incident Commander during an Incident Response. So they need to maintain self-control and a cool head at all times. Data is your friend here. It’s hard to find a balance between waking up the CEO and complacency during an incident.
Reacting like the sky is falling without offering actionable steps for those around you can be detrimental.
CISO’s Have To Be Emotionally Aware of Their Audience
Choose your battles.
Know your audience.
Read the room.
These all apply. There is a time and place for everything. Know What To Say, When to Say It, and Who To Say It to.
Avoid technical jargon to non-technical people
Be concise and actionable
Be precise and specific
Do not be Chicken Little