As a CISO, you will find your job requires you to have experience in many areas. As the leading cyber security executive for your organization you will be expected to manage your organizations cyber security suite and lead your team in protecting its assets. In this position you will also work with your organizations departments and in the process meet many of your critical stakeholders. As you build your human network in your organization, remember these stakeholders are your customers and it is important that you understand what issues they are presently having with your organizations enterprise network and its current application portfolio.
Some of these issues, your stakeholders will eventually turn into business cases for new IT projects. I have seen many of them come before my IT Department’s Technical Review Board as they make their way through my organizations governance process. Knowing the context of why these projects are being proposed by your stakeholders department and understanding the underlying issues that drove them to propose a solution will help you view their business case with a more informed view.
The reason this is important is that as a CISO, your expertise in security and risk management will be called upon to review new projects or proposed solutions. Many of these projects will be to assist one of your stakeholders in correcting an issue that is interfering with them being able to provide services to your organization and its customers. Sometimes your stakeholders will propose projects that incorporate new technologies. As the CISO, you will have to decide the risks involved in using these new technologies and whether they are a good fit for your organizations technology roadmap.
As CISO, I firmly believe part of your job is to not say “No” to projects that don’t quite meet your organizations roadmap. Instead, I believe as a CISO your job is to say “Maybe”. This leads you to looking at proposed IT projects with a critical eye to ensure they induce the least amount of risk to your organization. However, you still have to remember there is a business reason for the project so you will need to think of alternatives. Sometimes, to do this you have to remember the reason for why these projects were being proposed, what “issues” they are to solve. Your job in your organization is not to stop it from doing business, in fact I look at cyber security as a business enabler. We provide the foundation to build your organizations IT portfolio on and then keep it safe.
Part of keeping your organization safe is being able to answer the “Maybe”. I have found being able to do this involves being knowledgably of new technologies and the risks involved with old ones. I constantly do this by attending classes, training events and start-up incubators to see new technologies and how to add them to legacy networks. I have found that to be an effective CISO for your organization you must be able to say “Maybe” when needed and give them an alternative to succeed.