The role of the CISO, the Chief Information Security Officer, has traditionally been a technical one. With organizations taking a technology-first approach to secure their infrastructure and data, it seemed natural to elevate technical members of staff into the role to make the best use of their knowledge.
But not everyone in this role is a hands-on technical security expert. What do you do if you don’t have a technical background and you’re a CISO (or the equivalent level of task responsibility) and people expect you to understand all of their technical security problems and issues?
You’ll most likely be encumbered with many non-technical requirements: personnel management of direct and indirect reports, all of the admin that goes with a senior position, being able to understand the new language those around you are using or the concepts they’re referring to, translating between technical and non-technical staff, understanding and prioritizing business outcomes over purely technical or security-related results, threat modelling issues around compliance and liability and litigation… all of this… while trying to learn the technical knowledge at the same time.
Or even if you were in a technical position before, you’re expected to maintain up-to-date knowledge in an ever-changing field, while learning all the new skills required for your management role.
Thankfully, many organizations now realize how important mental health concerns are for their people, particularly senior staff, where impaired decision making or forced absence from work can have a detrimental effect on the business. But while trying to stay balanced, you still have a problem to solve: how do you stay up to date with technical developments when you’re not in a technical position?
Here are a few solutions to consider, depending on the situation you’re in.
Talk to your staff openly
When you’re the most senior person within a particular discipline in your organization, it can feel that you need to be the most knowledgeable and most incisive. But that attitude is more suited to bosses in video games and Hollywood villains than to a corporate hierarchy today.
Talk to your staff. Find the experts and ask them for their opinion, or ask them to brief you on the latest developments in the field. Not only are they saving you considerable time and effort, but this common ground where you’re asking for advice helps build a much better relationship with your team. Being a source of knowledge to you is part of their duties, and if you honor this task with that level of importance then they will too.
Of course, you need to be aware of any local considerations and biases, for example, a technical expert in data loss prevention (DLP) is unlikely to advocate the abandonment of this technology for a different platform, but with this context in mind, you can access decades of their accumulated knowledge in a few hours.
Build good relationships with your vendors
Image credit: Getty Images
Find a good vendor, ideally, a good systems integrator (SI). They usually have a poor reputation in the industry, but it’s unfairly so. However with this being a technology-led field, you’re going to have to refer to experts, and who better than organizations that sell multiple types of solutions. Find a good SI. Ensure they’re aware of your budgets and constraints; also that they know you’re looking to build a relationship rather than make a quick purchase. As there’s a greater upside for them than an immediate sale, your chosen SI should see you as a long-term relationship, and as your organization grows, so will your budget to spend with them. Subpar salespeople think in the short term to make a quick sale today. Better salespeople realize the pressure you’re under and know how valuable they can be to you if they’re trustworthy and offer high-quality advice – and, in return, if you go straight to them for your next purchase, they’ve just saved a considerable amount of sales effort.
Befriend the technical staff at your vendors
My opinion of salespeople is built around those I’ve worked with, so it might be more favorable than yours. Maybe the vendors you deal with simply aren’t that trustworthy, or you don’t have the budget to attract any of the SIs. In that case, focus on the technical staff at your vendor, the pre-sales support who accompanies the salesperson. This technical person will either be a dedicated pre-sales resource or a developer or architect for smaller vendors. It’s unlikely they’ll be on commission and evaluated on sales performances, so they won’t be financially influenced to deceive you. It’s also quite likely that they’re blunter, technically minded and a bit of a problem solver – they’ll see your situation as a puzzle to be solved rather than a business opportunity to be exploited. And if their current employer’s product doesn’t fit, then they’re more likely to explain why.
In particular, keep this in mind at conferences. See if you can catch the technical sales support person away from their stand or after a talk to get an honest opinion of their solution.
Alternatively, at either a conference or a sales meeting, see it as your job is to discuss the financials with the sales rep and protect the technical person you’ve brought along with you; that way your technical team member can talk, unhindered, to the technician from the vendor. While you’re soaking up the infographics and sales numbers, your technical person can get a more honest view and report back to you afterward.
How to avoid bluff or burnout
It’s common for security leaders to pick one of two approaches:
Bluff – especially for non-technical or formerly technical leaders, it’s easy to try and bluff your way through decisions, to give confident guesses, expecting your team to make the best out of what you’ve decided. You might get lucky for a while, but bravado alone can lead to staff taking you out of the decision-making loop to avoid your mistakes.
Burnout – try to take on all the new business skills while maintaining your existing specialist skills, to be the leader everyone expects you to be. This approach isn’t sustainable.
The strategies I’ve proposed are more difficult as they need more investment and commitment, but it’s a better way forward in the long term that will lead you to make more effective technology decisions in the future.
The opinions in this article reflect those of the author.