What is the most important advice you can give the next generation of security professionals and CISOs?

1.7k views1 Upvote8 Comments

SVP, Chief Information Security Officer in Education, 5,001 - 10,000 employees
Context is important. The path that one takes to being a CISO is very relevant and there are generally two paths. One path is to come up through the technical ranks. You understand technology at a certain level and you grow into management before ending up as a CISO. And the other path is to get your MBA. Among the MBAs that end up as CISOs, you’ll often find that they have never done security work hands-on, but they’ve gotten into that role because it has become far more business-centric than what it once was. I'm not saying either path is better or worse. They just come with different perspectives. I've met peers that couldn't break into something if I did it for them, but they're CISOs. And then I've met CISOs that come from a technical background and couldn’t talk to a board of directors if their career depended on it.

A good balance of both technical skill and business acumen is what a CISO needs to succeed. You have to earn the respect of your cybersecurity rank and file, but you also have to be able to translate technology talk for the board and C-suite. You have to speak their language and that doesn't come naturally; it’s something you have to learn. Some CISOs see themselves as pure business people and will never have the respect of their actual cybersecurity ranks. But that's a mistake, because in the face of a real emergency, those people won’t be that effective. So my advice is: don't limit yourself in terms of your perspective. It's great to have the business perspective, and it's great to have the technical perspective, but this role is unique in that you need both.
CISO in Healthcare and Biotech, 2 - 10 employees
Be curious, be emphatic, lead with the "why" and never say "no", only "maybe...if the risk can be minimized or the right controls are in place."
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
Focus enough time on learning to translate the technical aspects of what you do (using risk as the key arbiter) into language that your C-Suite peers and board members can understand. The technical controls have become much more mature in the past 5 years, the real challenge is preparing to talk on the same language level as your peers in other business units
CISO in Software, 10,001+ employees
Always have a training and growth plan with dedicated time allocation and structure to stay current on trends, technologies and processes.
CISO in Finance (non-banking), 10,001+ employees
Before implementing any security solutions or processes understand the context of the organization and their business objectives. It is very much important to align the security objectives with business objectives. Do not everytime block block and stop business and instead them give correct solutions and alternatives with minimal risk. Security is not back office operations anymore and is more business enablers these days. You need to remember things don't get change overnight and cisos and security professionals have to be very patient in their role. Interactions with business and technology need to be done on regular basis and their buyin is must. You need to balance with right mix of technical, procedural and management skills if you want to be successful in the longer run. Security professionals must not fall in blame game and have to demonstrate much more maturity infront of business and tech teams. Clear roadmap have to be defined with goals and measureables. Organization understanding is very much important. Need to have right balance of people, process, technology and sustainability. 
CISO in Finance (non-banking), 5,001 - 10,000 employees
Don't be afraid to fail and truly learn from those experiences.
Director ERP Management in Travel and Hospitality, 1,001 - 5,000 employees
Make sure to include a solid defense against Ransomware, review it regularly and update as new vulnerabilities are discovered. 
Field Chief information Security Officer (CISO) for Public Sector & Client Advisor in Finance (non-banking), 1,001 - 5,000 employees
Find a mentor, who is at least 5-10 years ahead of you in your professional career, and who you trust to guide your journey. Also, be a mentor for others and give back. 

For more details on this. see: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/security-pros-need-a-mentor-heres-why-and-how.html 

Content you might like

Yes, most security leaders.25%

Yes, some security leaders.61%


Not sure2%


1k views1 Comment

We've adopted a zero trust security approach.34%

Network segmentation / Air gapping networks52%

Implementing a cybersecurity framework like MITRE ATT&CK or NIST38%

Creating reliable and accessible backups43%

All of the Above19%

Other (please share below!)0%


2.2k views1 Upvote

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.6k views133 Upvotes324 Comments