Congrats you hired a CISO. Naturally you’re expecting them to ‘hit the ground running.’ They want the same thing. Understand the CISO’s mindset to achieve a better cybersecurity posture for your company more quickly. This article will explain three components to effectively hiring and onboarding the CISO. 

1. The components of the CISO’s ‘toolkit’ 
2. The CISO’s engineering mindset 
3. Enabling the CISO to solve ‘the puzzle’

 

Each CISO has a Unique ‘CISO Toolkit’

The success of a CISO-company relationship hinges on two key questions:

1. What does the organization need from their new CISO?
2. What does the CISO candidate bring to the table?

The CISO Toolkit is key to answering these questions. The CISO’s Toolkit is the combination of the places they’ve previously navigated, the experience they gained delivering, as well as the technical and professional skills that they’ve developed. In other words, each CISO’s toolkit is the combination of their technical & professional skills as well as their experiences. When hiring a CISO, consider the program’s needs when assessing the CISO candidate’s toolkit.

 

Let’s explore the components of a CISO’s toolkit further.

 

Technical & Professional Skills

The CISO Toolkit includes their technical skills and understanding. Whether those technical skills were born because of passion or because of professional need.

Examples of technical skills for CISOs include these and more:

• Infrastructure skills
• System administration skills
• Data structuring skills 
• Application development skills
• Translating functional requirements skills

On the professional side, the CISO’s Toolkit includes their ability to:

• Provide effective and efficient solutions to protect & deliver value
• Function as a peer to the rest of the C-suite
• Adapt to changing conditions (budgets, threats, support, leadership, etc)
• Lead the security department

Combined, these represent things that they know and can do.

 

Prior Experiences

CISO’s past experiences are also part of the toolkit they bring to your organization. 

• The various company environments they have experienced. (size / industry / jurisdiction)
• The kinds of work / outputs they have delivered: Builder, Fixer, Scale Operator, as described in more detail in this article by Lenny Zeltser and Yael Nagler (also an author of this article).

These experiences can be enablers. It’s the lessons learned that they bring to your organization to avoid delays and frustrations. On the other hand, an environment too similar to past experiences may result in ‘doing’ before adequately ‘understanding’ the new organization. In addition to the CISO’s Toolkit, hiring managers should consider how the CISO will approach the new environment by better understanding the CISO’s affinity for solving puzzles. 

 

The Engineering Mindset of CISOs

While the role of CISO is different from organization to organization, a common unifier among CISOs is their engineering mindset. As it relates to cybersecurity, an engineering mindset is the inclination to define guardrails and scaffolding (that reflect critical thinking and analysis) to enable forward progress despite risk and uncertainty.

An engineering mindset approaches ‘new’ and ‘uncharted’ situations as ‘paradigms’ and applies their toolkit to unlock creative and effective solutions.

 

Embrace the opportunity for the CISO to apply the following: 

• Learning Mode: Necessarily, one needs to learn as much about the situation as possible. The opportunity to observe and then assess the environment and understand the components before solutioning allows the CISO to prioritize resources to the needs. An environment that is different from any prior experience will necessarily prevent the tendency to ‘copy and paste’ specific tools or solutions simply because those worked somewhere else. 
• Fresh Outlook: An experienced executive has seen multiple scenarios and environments. The organization is new to the CISO. This brings the benefit of a different perspective likely to unlock strategies and directions that someone ‘familiar’ with the paradigm may not see.
• Unbiased: Without the “baggage” of how past decisions were made or what motivated prior resource allocations, the CISO enters the new company unbiased and able to objectively process feedback and input from partners that may have otherwise been dismissed.

 

Enabling the CISO You Hired

Each experienced security leader brings their toolkit to their new employer. While it is natural for the recently hired CISO to study the new environment (to understand patterns and intricacies) it’s helpful to recognize that the entering CISO is unburdened by how things came to be. They come with a fresh perspective and an engineering mind seeking to understand and to solve. This will enable them to establish guardrails and make (and measure) progress. 

 

To get the most out of your recently hired CISO:

• Apply their toolkit: Invite your new CISO to describe the situation in the company in the domains of their technical knowledge. This is a sort of “mirroring” which gives the CISO a chance to share their current understanding of the situation & also allows you to address any blind spots — or worse, erroneous assumptions — about the state of the organization and the universe of potentially acceptable cybersecurity solutions.
• Bridge their Gaps: Assist the CISO in understanding the differences between the Company’s environment and their prior experiences.
  
• Present their puzzle: Provide the CISO with the first puzzle to solve. Align on goals and then empower the CISO to arrive at the goal using their…. Toolkit. 

 

Too often, CISOs are rushed to apply their toolkit and aren’t given adequate context. CISOs need an opportunity to engage their engineering mindset so that they may apply the right tools for the current environment. As the hiring manager, your understanding of the CISO mindset and involvement in providing necessary context enables the CISO to successfully “hit the ground running.”