What are the key traits that CSOs and CISOs need to manifest in order to survive in our ever-changing, even hostile, cyber world?Last Friday evening, I had the honor and privilege of offering the opening keynote speech for CISOs, as well as many other security leaders from all over America, at the ISSA CISO Forum in Anaheim, California. The event theme was: From Change-Driven Challenges to Change-Driven Ingenuity.I decided not to talk about BYOD or cloud computing or the many challenges associated with securing virtualized data centers. Nor did I discuss the rising cyber threat from organized crime, growing numbers of domestic (bad guy) hackers or foreign experts who are attacking our critical infrastructure, the consumerization of IT, FUD headlines or a long list of other hot topics that can keep CISOs up at night.
What's the story?
Here are some highlights from my heart-to-heart after dinner talk with the CISOs in the room:First, what got you in the room as a CISO usually won't be enough to keep you in charge of cybersecurity. No doubt, you've developed the skills, degrees, knowledge, and expertise to succeed. But building key relationships is probably even more important than technical skills going forward. Can you earn long-term respect?Second, I believe that the stakes for security leaders will only get higher as we progress through the 21st Century. While it may seem as if we've already seen the worst the bad guys can throw at us, future problems will get even more personal than ID theft.A visit with the kids to the "Innovations" section of Disneyland will show you all of the wonderful technology advances that are coming soon. From cars to medicine to just about every other area of life, exciting new technological opportunities are just round the corner.But while new innovative medical procedures will allow implants to cure diseases and eliminate the need for dangerous, expensive surgeries, those same devices will be susceptible to wireless cyber attacks. While Wired Magazine recently proclaimed cars will drive themselves in the future as we relax and play games, what if your car's gas pedal was taken over by malware?Third, to stay relevant, security leaders need to understand why security pros fail - and what you can do about it. We need to be enablers of business, offer reasonable options, and thinking outside the box.Also, security leaders need to learn how to anticipate changes in technology and business practices. I call this the "Wayne Gretzky thing" or "skate to where the puck is going to be." Disruptive forces will come as the economy and competitive forces continue to play out. Security leaders can't (only) be focused on technology challenges over the next iPhone or future Droid devices or the Windows 8 release, we need to understand the changes that our customers are facing on the front lines of business.
But What's the Main Thing?
Is there another elephant in the room? Yes - Integrity. Will customers and partners say you're trustworthy?As we move deeper in the 21st century, CISOs must first and foremost strive to be trusted security advisors to management. To do this, we must demonstrate genuine integrity in all our dealings. Be above reproach. Even suspicions of unethical behavior by our staff, peers or executive leadership will undermine future effectiveness and the ability to accomplish our goals.Why? What makes trustworthiness such an important aspect of future cybersecurity leadership success?Answer: we are the protectors of the crown jewels - the information and more. We are the eyes and ears of the operational organization's critical controls and audit remediation plans.In addition, if security staff members believe that they are exempt from the policies that are put in place for others, our teams will be viewed as hypocritical and poor role models by our customers. Sure, everyone needs ethics, integrity and trustworthiness. But this trait is especially important for security staff. CSOs need to be building teams of trustworthy individuals.I told the CISOs last Friday that I'd rather hire a good security pro who has a great attitude, who is trustworthy, who is accountable, than a great cybersecurity expert who I mistrust. I need to know that our security team members have integrity. Remember, Darth Vader was well trained.
What about generations Y and Z?
One question arose regarding whether younger workers who are just coming into the workforce can be held to the same ethical standards. Can we expect integrity from the millennial generation? My answer was yes, but we do need to incorporate mentoring and building trust as core components of our security training programs. We need to build a culture of accountability and expectations of trustworthy actions. Of course, we trust and verify with background checks and related processes.One way to do this is to hire students or interns and get to know staff before offering permanent or long-term security roles.
Resources for building trust and integrity
If security leaders must be above reproach, what steps can we take to ensure that we are modeling integrity and building trust in the workplace? A good place to start is Stephen M.R. Covey's book, "The Speed of Trust."I also wrote a recent three-part blog series on the importance of cyberethics for Government Technology Magazine's Lohrmann on Cybersecurity blog. The topics discussed include: Why cyberethics matter more than you think. What are the ethical problems in cyberspace? And, becoming a cyber ambassador for good.
After the talk, I was especially moved by one story on integrity from a successful CISO. He told me that he once worked for Arthur Anderson - who maintained the gold standard on trustworthy behavior for over 80 years. And yet, a small minority of bad apples in one Texas office lowered their standards, falsified documents, and brought down perhaps one of the most respected companies in the world in just a few short months in the Enron scandal. Not only did the lack of integrity cost tens of billions of dollars, it devastated thousands of careers, families and fortunes. This leader's personal journey back from the brink of depression took years. Integrity is a very special word for him.For the rest of us, we know things will be different in the future. Technology and business change is coming, and fast. What are you doing to prepare?Albert Einstein once said, "Whoever is careless with the truth in small matters cannot be trusted with important matters." Nevertheless, careers and trusted business relationships that are built on a foundation of integrity will last.
