What is the most important advice you can give the next generation of security professionals and CISOs?

Security & GRCPersonal DevelopmentExternal CXO Relationships
1.7k views1 Upvote8 Comments
SVP, Chief Information Security Officer in Education, 5,001 - 10,000 employees
Context is important. The path that one takes to being a CISO is very relevant and there are generally two paths. One path is to come up through the technical ranks. You understand technology at a certain level and you grow into management before ending up as a CISO. And the other path is to get your MBA. Among the MBAs that end up as CISOs, you’ll often find that they have never done security work hands-on, but they’ve gotten into that role because it has become far more business-centric than what it once was. I'm not saying either path is better or worse. They just come with different perspectives. I've met peers that couldn't break into something if I did it for them, but they're CISOs. And then I've met CISOs that come from a technical background and couldn’t talk to a board of directors if their career depended on it.

A good balance of both technical skill and business acumen is what a CISO needs to succeed. You have to earn the respect of your cybersecurity rank and file, but you also have to be able to translate technology talk for the board and C-suite. You have to speak their language and that doesn't come naturally; it’s something you have to learn. Some CISOs see themselves as pure business people and will never have the respect of their actual cybersecurity ranks. But that's a mistake, because in the face of a real emergency, those people won’t be that effective. So my advice is: don't limit yourself in terms of your perspective. It's great to have the business perspective, and it's great to have the technical perspective, but this role is unique in that you need both.
1
CISO in Healthcare and Biotech, 2 - 10 employees
Be curious, be emphatic, lead with the "why" and never say "no", only "maybe...if the risk can be minimized or the right controls are in place."
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
Focus enough time on learning to translate the technical aspects of what you do (using risk as the key arbiter) into language that your C-Suite peers and board members can understand. The technical controls have become much more mature in the past 5 years, the real challenge is preparing to talk on the same language level as your peers in other business units
CISO in Software, 10,001+ employees
Always have a training and growth plan with dedicated time allocation and structure to stay current on trends, technologies and processes.
CISO in Finance (non-banking), 10,001+ employees
Before implementing any security solutions or processes understand the context of the organization and their business objectives. It is very much important to align the security objectives with business objectives. Do not everytime block block and stop business and instead them give correct solutions and alternatives with minimal risk. Security is not back office operations anymore and is more business enablers these days. You need to remember things don't get change overnight and cisos and security professionals have to be very patient in their role. Interactions with business and technology need to be done on regular basis and their buyin is must. You need to balance with right mix of technical, procedural and management skills if you want to be successful in the longer run. Security professionals must not fall in blame game and have to demonstrate much more maturity infront of business and tech teams. Clear roadmap have to be defined with goals and measureables. Organization understanding is very much important. Need to have right balance of people, process, technology and sustainability. 
CISO in Finance (non-banking), 5,001 - 10,000 employees
Don't be afraid to fail and truly learn from those experiences.
Director ERP Management in Travel and Hospitality, 1,001 - 5,000 employees
Make sure to include a solid defense against Ransomware, review it regularly and update as new vulnerabilities are discovered. 
Field Chief information Security Officer (CISO) for Public Sector & Client Advisor in Finance (non-banking), 1,001 - 5,000 employees
Find a mentor, who is at least 5-10 years ahead of you in your professional career, and who you trust to guide your journey. Also, be a mentor for others and give back. 

For more details on this. see: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/security-pros-need-a-mentor-heres-why-and-how.html 
1

Content you might like

Is there a disconnect between security leaders and the businesses they serve?

Security & GRCBoard EngagementInternal CXO Relationships

Yes, most security leaders.25%

Yes, some security leaders.61%

No10%

Not sure2%


360 PARTICIPANTS
1k views1 Comment

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
308 views1 Comment

What strategies are you currently using to minimize ransomware risks at your organization?

Security & GRCThreat & Vulnerability ManagementData Protection & Encryption

We've adopted a zero trust security approach.34%

Network segmentation / Air gapping networks52%

Implementing a cybersecurity framework like MITRE ATT&CK or NIST38%

Creating reliable and accessible backups43%

All of the Above19%

Other (please share below!)0%


555 PARTICIPANTS
2.2k views1 Upvote

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
46.6k views133 Upvotes324 Comments

Where do HR and other non-security/IT departments fit into your insider risk management strategy/program? What role do they currently play?

Security & GRCRisk ManagementThreat & Vulnerability Management+1 more
Read More Comments
4.6k views1 Upvote7 Comments