Cybersecurity Leadership: Stepping Back So Others Can Step Up
For as long as I have been in the cybersecurity industry (too long, too long) there has been discussion about the role of the cybersecurity leader. What functions should be in security? Who should a Chief Information Security Officer (CISO) report to? Is a good CISO technically- or business-focused? What makes a security leader? How can a CISO get into the C-Suite? How can they stay there? What does cybersecurity leadership even look like?
There are certainly high-profile CISOs… they typically operate in a large publicly-traded company, and oversee millions of dollars of security budget, and get paid millions of dollars to do so. Some CISO-stars have a reputation for coming into a company after a big breach, and turning around the security profile of an organization. They are adored by other security professionals, are applauded on the security speaking circuit, and are invited to speak to governments and thinktanks. The industry needs people like this.
But for most security leaders, the reality of their day job is far from this public image of security leadership. Instead, they work day in and day out in their organizations, fighting budget battles, coaching their teams, nudging their stakeholders to think just a bit more about security. They don’t sit in the c-suite, they may be chronically low-stress-burned-out, and they aren’t likely to be pulling in 7- or 8-figure salaries and golden parachutes.
The irony of being a security leader is that you’re constantly thinking of security controls — where to put them, how to measure them, where to accept them. After all, you are accountable for the security profile of an organization… yet you control nothing in the organization. Oh, you can control your team, and the functions they provide — but your budget is not your own, the activities you oversee are shared with other teams, and during a crisis the front lines of the security war are owned by other generals with other priorities and other rewards. So you may want or even plan for the best for your organization but when the dumpster fire really starts to burn all you can do is watch.