Winning as a CISO

“Winning as a CISO” (Chief Information Security Officer) is the second book^† I have bought from the ISACA bookstore. The book’s opening phrase is “If performing vulnerability assessments, configuring firewalls and performing network forensics makes you happy then becoming Chief Information Security Officer may not be the right career choice for you”. That may be true and has been stated in other fields^‡ too, but it does not mean that this is not a book for security professionals not on the CISO career path.

In fact this is a book on understanding corporate management and not only for security people, but for other techies too! What this book tries to put into the reader’s mind is the simple fact that anything you do in a sufficiently large (or beaurocratic) organization is a service that you sell inside the organization. For your service to sell it does not only take hard work; Hard work is fine but can only get you so far. People who understand the organizational dynamics and politics are the ones who can both increase their budget and advance their careers. In his “Time Management for System Administrators” Tom Limoncelli mentions the martyr complex that many sysadmins seem to suffer from. Martyr complex is the result of both lack of automation of routine stuff that devours our time unproductively and the lack of effectively communicating of what it is exactly that we do^*. Well guess what: It is not their job to try and understand what we do; it’s ours and in the security arena it is even harder because the “security guys” are the ones who block other people’s fun work for obscure reasons contained in dusty policy tomes.

“Are you the type of person that can stand up to superiors without being afraid of risking employment status? Will you stand up for an employee who acted with reason and responsibility but erred nonetheless?” This is a question that the author asks to anyone that considers a CISO career path. Well I have stood up to management (but not without personal loss) and my managers have stood up for me when I made errors. In fact one of them argues that “the only person that never errs, is the one that never does any actual work”. This is the kind of management that wins your team’s heart (any team, not just the security team).

Now I understand that the book belongs to a class that, as my friend XLA puts it, describe “an ideal corporation, in an ideal country where everyone eats ice-cream”, but nevertheless it is the thinking mode that matters. Do not let daily tactic stuff distract you from your target (strategy if you like). That and the realization that although hard work pays, it pays better when you invest in marketing it. I cannot say that I learned anything that I did not already knew from the book. But it is not always necessary for people to learn about such stuff from experience only.

[†] – The first one being Nigrini‘s book on Benford’s Law.

[*] – “You do a lot of work, but not many people understand the work you do” from the opening of the speech from the Estonian Ministry of Communications representative at RIPE-54.