Your company carries risk: economic risk, regulatory/legal risk, and cybersecurity risk, and of those major risk centers, cybersecurity is by far the newest and the least understood.

Most non-technical people just don't get cyber, and even many software engineers struggle to understand.

That means an effective security engineer must have strong communication skills because you will always be explaining what you do, why you do it, and why it's important.

This goes double for security leaders. It's not enough to communicate security risks to software engineers ("hey patch this bug").

As a CISO, you have to take the big picture view in order to drive "whole of company" security strategy.

Well, what does that mean?

What is a security strategy?

Know your threat model. What cybersecurity risks could financially harm your employer?

How much risk are the CEO and Board of Directors comfortable carrying? A CISO executes to meet their risk tolerance.

What's your budget of time and money? You will always have finite resources. How do you prioritize spend to mitigate the most risk (Security ROI)?

Everything is connected to everything else. As a CISO, you have a company-wide responsibility to look after application security, cloud security / DevSecOps, IT security, executive operational security, crypto self-custody (if you work in crypto), certifications (like ISO 27001 or Soc 2) to support business development efforts, and of course security compliance obligations.

So building a security strategy means understanding security risks, communicating those risks in a way executive leadership can understand, budgeting to mitigate those risks, and targeting maximum Security ROI in a whole of company effort.

Know your audience. Being effective in a security leadership role means talking yourself blue in face, communicating up, sideways, and down in the org chart. Security risk is abstract, unintuitive, and sometimes even counter-intuitive. Mitigating cybersecurity risk is not just technical, it’s also a management discipline. And you can’t get folks internally to willingly help you if they don’t understand your ask.

Put yourself in their shoes. There is a strong temptation for well-meaning folks meeting you and the security problem for the first time to expect security engineering to look like software engineering. Security is just about code (“just about smart contract security”), this is a simple problem, if we just do this list of things everything will be OK, etc.

This is a naive point of view you will hear throughout a career in cybersecurity, and it also means that you will spend a major chunk of your time educating people about security risk.

Zoom Out

Once you zoom out, whole of company security reaches a level of complexity that cannot be distilled down into a list of checkboxes to tick. Security frameworks are a useful jumping off point, but a dogmatic approach to such things fails when your security risk exceeds your compliance risk.

A pragmatic approach to security leadership and risk management is therefore necessary.

Security leadership as a CISO means you have to take the big picture view, see everything in context, and take action on the understanding that security is not just a technical discipline, but is equally a management discipline--security is fundamentally about how we do things, not just lines of code.

Zoom out. Look at your employer from an attacker’s point of view. Attackers take a whole of company approach. As defenders therefore we must also take the big picture view.