What exactly is a CISO, anyway?
I see CISO job ads asking for people’s GitHub handles, but you’re not hiring a developer, and you're not hiring an engineering manager, you're hiring a CISO.
Security engineering is not about writing code, so even if you were hiring an Security Engineering Manager you still wouldn’t want to be measuring candidates based on the code they write.
So if a CISO isn’t just a weird form of security engineering manager, then what exactly do we do all day long, anyway?
What’s the recipe for a CISO?
One bushel of technical systems knowledge
How do things work? You can’t secure a system if you don’t understand the system at least as well as attackers. From my point of view, that means a good CISO is much more likely to come out of traditional IT or even a DevSecOps role than from a developer role. Developers are generally laser-focused on a specific tech stack—deep and narrow—but a CISO needs to spread themselves thin across everyone and everything in their org—shallow but broad.
a demijohn of people, people, people
Not just technology, but also process and people. Because the human systems you are defending are not technical. CISOs are focused on risk management, and the way you manage risk—since risk mitigation is almost always part of risk management—is to change things. To change the way people do things. In other words, change management. But people hate change! Oh my lord do people hate change. So exercising diplomacy and influence across an org is key to securing an org. That’s not a 133t supercoder job.
a peck of security mindset
No one can be successful in any security role without the security mindset. This is the adversarial thinking that distinguishes a builder from a breaker, and it’s the raw material I look for when interviewing candidates. You can teach technical skills, but you can’t teach adversarial thinking to someone who lacks the knack. It’s a raw talent that I’ve discovered in people both technical and non-technical. A CISO unable to think creatively about adversaries—whether the North Korean military, a ransomware gang, or the Irish Data Protection Authority—is not going to be effective in their role.
two liters of leadership ability
A one-man CISO is just a phony title. Ultimately a company of any size that needs a CISO is going to need a security team for the CISO to lead. But that means the CISO needs to be an effective team leader who knows how to delegate, to motivate, to discipline—to get the most out of their team for the benefit of their employer. This includes leading on both security engineering (managing real securiy risk) as well as security compliance (working with Legal to meet regulatory risk appetite, acquiring security certifications like ISO 27001 to enable the business to close deals, etc).
a barrel of business mindset
It is a tempting but fatal rookie error in security to be an absolutist about security. This is unhelpful and makes you a bad CISO. A CISO is not just a technical engineering manager—a CISO is a business executive whose job is to working closely with the CEO and Board of Directors to balance risk and opportunity to meet business goals. A CISO is not a high priest of security trying to achieve perfection or a Cassandra warning of doom. Risk is part of doing business, and security risk is part of doing business. Making sure the business understand that risk, and helping the business to choose between accepting risk or spending money to mitigate that risk, is the fundamental service the CISO provides.
a heaping tablespoonful of lawyer
I am not a lawyer and I don’t play one on TV. But I need a solid grasp of the law in order to do my job. As I explained to a disbelieving colleague—a software engineering manager—security straddles the fence between Engineering and Legal. Legal and regulatory risk are a major part of my job as a CISO. When my adversaries aren’t just criminal hackers but government regulators, I better understand the regulations that we aim to either comply with (or, as an executive decision involving the General Counsel, to not comply with because the risk of a regulatory fine is so low).
a pinch of accountant
You can either accept risk or spend money to mitigate risk. That means you need a solid beancounter mentality to be effective as a CISO. How much money should we spend? What's the cost/benefit analysis of that spend? (What's your Security ROI?) Are you spending money wisely, and being a good steward of company funds?
a megaphone of hostage negotiator
Negotiating contracts with security vendors sometimes feels like a hostage negotiation. "Pay us this crazy money for a substandard product, or the hostage gets it." In this case my employer is the hostage. It’s not racketeering but it sometimes feels like it! Being able to go to the mat with vendors and tear into their offering to get a better price is a crucial skill for a CISO. It’s not enough to just mitigate security risk, you should be optimizing for cost as well.
Recipe
Throw all the ingredients into a blender. Puree on low for twenty years or so. Pour into a suit hoodie (half suit, half hoodie) and serve with a heaping side order of ambiguity.