This post is the second in a series of three supporting our new eBook which seeks to get under the skin of the people in InfoSec. It’s not a big data-driven survey, but rather a collection of colorful opinions from interesting people about the humans who play a part in defending our online world from attackers. And this time, we'll be taking a look at things from the CISO's perspective.
We hope you find it an interesting summary whether you’re a front-line SOC Analyst trying to understand your colleagues, a weathered researcher trying to figure out what makes people tick, or a senior security leader looking for insights to help you manage your team.
The one in the big chair, the CISO, is often where the buck stops when things going wrong, and they’re often tasked with the responsibility of keeping the company secure. So, what character traits should the most successful CISOs exhibit? Wolfgang Goerlich, advisory CISO at Cisco Duo, said critical thinking skills are essential, but you will also need a good sense of humor.
Heath Renfrow, CISO of the Conversant Group, said integrity is the “number one trait in this field”, while Quentyn Taylor, Director of Information Security at Canon EMEA, said cybersecurity is a broad church, “and there is a space on a pew for everybody”.
As the CISO is often tasked with the acquisition and management of technology and people, we also asked them what they needed to do their jobs better.
Goerlich cited the human factor, which he called “the last mile”. According to him, we need to get better at understanding how to build systems that work for non-InfoSec folks, as well as “how to make InfoSec a more humane and better experience”.
Renfrow said it’s not that employees are doing things badly – it’s about not having the resources to match the threat actors. “We need executive-level support and understanding that the security challenge we are facing globally isn't going away – it will not get easier, and it will not get less expensive.”
Another important factor is looking after a team who will have been working remotely for close to a year.
What is the best advice for doing that efficiently to ensure morale and mental health issues are addressed?
All three of the CISOs cited being available for team communications, with Taylor recommending having short meetings without an agenda and asking people how they are, while Goerlich suggested working open office hours and keeping WebEx and communication tools open.
Taking breaks was also highly recommended for personal reasons, as it is easy to work longer hours when working from home. Renfrow recommended taking time away from the phone and desk during the day, and to “disengage on weekends from phone, keep it only for emergency notifications, and enjoy family.”
The responsibility on the CISO has increased over the years, and the unique nature of 2020 only amplified this. For more insights like these, from a wide range of interesting people, read Cyber Humans: The People of InfoSec on the People of InfoSec now.
Dan Raywood
Information security journalist, moderator, speaker
@DanRaywood