Several inflection points in the history of security have driven an expansion of the role security plays within organizations. The 2010s marked an era of public breaches that catapulted the prominence of the CISO role and, today, waves of new technologies and regulatory changes are leading to a new era of security.
To better understand the evolving demands of CISOs as they work to build effective teams, our own CISO, Ryan Kazanciyan, spoke with three security veterans: Jack Leidecker, CISO at Gong; Drew Simonis, CISO at Juniper Networks; and former CISO, Royce Markose. They discuss what it means to be an effective security leader and how they recommend you prepare for your next interview. This includes:
How CISOs can effectively collaborate with other senior leaders
Which questions to ask before accepting your next CISO position
How to build and support more diverse security teams
Collaborating effectively with other senior leaders
As security regulations become more stringent, the CISO role has become an increasingly important one on senior leadership teams. This means that CISOs are also more regularly communicating their team’s successes and challenges to nontechnical leaders at their organization. “We have to give board members and other executives metrics that are credible, but not overly technical,” says Simonis.
The first step to figuring out which metrics to focus on is to understand how security is tied to business impact.
Help them connect the dots. Understand how the business is generating revenue and how you’re going to be an enabler for its success.
Royce Markose, Former CISO
Once you have the right security data, it’s a matter of tying it back to the organization’s overall business goals. And the process is iterative. Leidecker shares that supporting the business isn’t just about measuring current initiatives. Take these recommendations a step further to help your board uncover blind spots for the business and identify risks that they’re not aware of that they should be. Addressing these concerns opens the door to new questions from other leaders that you can use to push your program forward in a way that works for you and the business.
Asking the right questions about your next CISO position
A strong candidate for any role is someone who can step into an interview and clearly demonstrate their value to the company. Like with any other job search, before you decide on your next CISO role you should take time to research the companies you’re interested in. For a CISO, this may include understanding where the company is located to determine the types of compliance you’ll need to adhere to (e.g. GDPR for an international tech company or PCI for payments companies).
Markose also suggests researching the leaders of the organization to ensure you cover topics that interest them in your interviews. “If, for example, you know that an organization grows by acquisition, come prepared to talk about the risks that entails and how you can add value,” he adds. By entering the conversation with a solution-focused approach, you can make the interview about your own expertise and get a sense of how you can fit into the organization.
Everyone says they want to fix their problems, but do they really? Your interview should be a pitch where you demonstrate that you know exactly where they are, where they want to be, and how you would get them there.
Drew Simonis, CISO, Juniper Networks
In many cases, it can take years to build a full security function. Another key step in evaluating your new role is to ask yourself questions about the company’s current security state. Leidecker shares that one of the most important things at this stage of exploration is understanding where the company is in their security journey and whether or not they’re willing to help you accomplish your goals.
Leidecker, Markose and Simonis recommend you start this process by asking questions, such as:
Do they have other security leaders, or will you be the first security person hired and tasked with building a team?
Do you feel you’ll have support from existing leadership to launch new initiatives?
Is the organization growing in a direction you’re excited about?
Does the company have the right resources and priorities for you to succeed?
Your new company should align with what you want from a new role. “I once told an interviewer, ‘If you just want someone to be able to get your SOC certification, sign off on stuff, and check boxes, go hire someone else,’” Leidecker says.
Building and supporting more diverse security teams
A core responsibility of being a leader is creating and nurturing great teams. To encourage more diverse teams within organizations that have not yet gone through cultural shifts, it’s your role as a CISO to find and enable new talent.
To do that, you have to take chances on a wide range of skilled candidates to develop your unique team dynamic. “It’s not about simply making your team look different. It’s about finding people who actually have different backgrounds, approaches, and viewpoints,” says Simonis.
One way to drive these systemic changes forward is to make direct changes to job requirements. “Some of the smartest people I’ve met didn’t have any formal education. They just learned on their own. Taking some requirements, like bachelor’s or master’s degrees, off of job listings can make a big difference in your applicant pool,” Markose adds. And supporting diverse teams doesn’t stop at the hiring stage. It also requires you to create a culture where new additions and perspectives are valued.
Some of the worst teams I’ve been on were teams where everyone thought the same thing. As a leader, you have to be open to different leadership styles and approaches to ensure you have a team that doesn’t just get groupthink.
Jack Leidecker, CISO, Gong
Collaborative security leadership for a new era of security
With all of these tips, you can be prepared to join, build, and collaborate with teams that are best equipped to handle security challenges. At the end of the day, the most important takeaway is that a truly collaborative leader focuses on communication. Having the right ideas is only the first step. To succeed, you have to communicate those ideas effectively to all of your partners. By planning with your teams, designing strong policies, and building partnerships, you can be ready to take on complex challenges in today’s security landscape.
Watch the full interview to learn more from these leaders and their decades of security expertise.