Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • What in the World Is a CISO?
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

What in the World Is a CISO?

5 years ago Zoë Rose
What in the World Is a CISO?

Whilst employment has taken a downward curve over the last year or so, there are a variety of approaches I use when applying for a role to help my CV stand out. One key point is knowing what the job entails before submitting my cover letter and CV. This allows me to tailor my message effectively. Additionally, it enables me to find positions that I might not have originally considered. One position I think more people should be aware of is a CISO. What does this actually mean – besides being made redundant when a breach is announced? I have personally worked within a CISO-as-a-Service position, but I wanted to get some more insight from those who are working in the trenches daily in an in-house CISO position. Below is what I learned through speaking with some brilliant contacts:

What I thought being a CISO was:

Fire hose - What I thought being a CISO was:
critical thinking - What I thought being a CISO was
via Giphy
The Archtect - What I thought being a CISO was
The Matrix The Architect GIF from Thematrix GIFs

Having worked within the cyber security and technology industry for over a decade, I have seen brilliant examples of leadership and not-so-lovely managers. Over time, I have noticed the difference is found in how the senior person approaches their role. Leaders are people who strive for a positive experience, are able to delegate and are willing to let colleagues work in their own way, all whilst retaining a holistic view that is forward-looking.

As with all industries, it can be difficult to understand from the outside what it truly takes to get to a specific position or what the role itself actually requires. It is also important to note that no role is created by a cookie cutter – diversity of skills, experiences and more can enhance the organization’s strategy and coverage. In fact, research carried out by Mckinsey & Company titled “Delivering Through Diversity” from 2018 revealed that gender diverse senior leadership led to a 20% profit increase – ethnic diversity even higher. Within security, diversity of thought, skills, points of view, experiences, gender, culture and more bring layers of knowledge, considerations and insights that others might not consider.

The role of a Chief Information Security Officer (CISO) is no exception to the need for diverse persons. What I found from speaking to contacts within the CISO position was that it is quite easy to find one type of CISO – that expected cookie-cutter with similar backgrounds – but difficult to find diverse persons.  

Thankfully, I have the privilege knowing many excellent persons who have broken that mold and who became truly excellent CISOs focused on empowering their teams and bringing security to the forefront of their products and/or service.

On a typical day, what is your focus:

“My job is to ensure cross functionality does not turn into dysfunctionality” – Ian Thornton-Trump, CISO at Cyjax.

The number one response I got from my contacts was that their role is to keep up to date on security news and trends in order to identify how that may or may not affect the organization. Taking those industry insights, a CISO then translates and communicates that knowledge across the different teams and departments.

“In addition to making sure I’m up-to-date with any relevant, emerging threats and that any in-flight projects related to current strategy are still ticking along, I work to stay on top of the plethora of emails related to daily BAU activities.” – Becky Pinkard, CISO at Aldermore Bank PLC.

One response that stood out to me was Christian Toon, CISO at Pinsent Masons, who shared that a critical piece of his role is ensuring the team’s well-being and how enabling them to succeed is actually the key to his own success.

“More recently the team, that they have what they need (approval, resources, strategy, direction, moral support, mental well-being, &c) to be successful,” he said.

One person I always enjoy getting insights from is my long-time friend Ian Thornton-Trump, CISO at Cyjax. What is Ian’s daily focus?

Coffee, read intel reports flag items of interest to the Threat Intel Team to make sure they are on top of things – they generally are. Take a gander at social media and plunge into the work of the day be it media commentary, reporting or marketing campaign related – very unlike CISO but we are a start-up so everyone contributes cross functionally. My job is to ensure cross functionality does not turn into dysfunctionality, so I work with the COO very closely. I also have a role in product development and public advocacy for the importance of CTI as a robust, effective and inexpensive solution to help against cyber-crime.

Whilst each response is different, we can already see a theme throughout – the role of a CISO is taking that holistic view of the organization. They’re about knowing their team and empowering them to achieve what they need whilst knowing what’s next in terms of the threats confronting the organisation.

What being a CISO really is:

All is certain - What being a CISO really is:
Do i look llike I'm negotiationg - What being a CISO really is
Fernando
via Giphy
Bernie
Bernie Sanders IAm Once Again Asking For Your Financial Support GIF from Berniesanders GIFs

What is the true purpose of a CISO? 

Whilst you might feel we’ve answered this already, I was curious what my connections thought their purpose was. Speaking with Wolfgang Goerlich, Advisory CISO at DUO Security, he explained that, “The CISO negotiates with peers and business partners. The CISO marshals support, budgets and people. The CISO protects the organization by securing the technology that enables the organization.”

Becky’s response was within the same thread: “The true purpose of the CISO is to interpret and align the company’s risk appetite with security opportunity to create and then drive the best strategy for securing the business and ultimately to ensure the right security for customers.”

To me, both Wolfgang and Becky’s responses go back to CISOs having that holistic view. It’s about taking stock of all the little complexities along the way, ultimately lining them up and appropriately assessing them.

Ian highlights this further: “Leadership and awareness of what is going on, why it’s going on and who may be victimized by the events unfolding. “

What area would you say you are best in?

You may have heard the following many times: “The more senior your role, the less hands-on/technical you can be.” However, I found an interesting point that both Becky made.

My cyber security career consisted of hands-on, technical roles for the first 10 years, which has helped me immensely as my career has grown on the management and CISO side – I think this is my strongest area, as a result.

Whereas, Wolfgang tells us if he could ‘go back’ and focus on one skill before ‘leveling up’ to a CISO, it would be on specializing.

It’s fashionable to talk about the C in CISO. The CISO is a business executive first, a technologist second. That’s true and it’s often said. The longer I’m out of the trenches, the more difficult the technologist aspect of the job becomes. I would level up on Infrastructure-as-a-Service and Software-as-a-Service security.

Meanwhile, Christian sees the value of his interpersonal skills and understanding people: “I’ve recently perfected the perfect home brew ale, oh wait, security thing… for me it’s all about the soft skills – bringing people together to achieve what needs to be done to best secure the business.”

At times, being able to see through what someone is saying, breaking down the words and reading between, is Ian’s greatest asset. he shares.

Is bulls**t detection on the list? Understanding the noise of FUD to discern an interesting event or product in the marketplace. There is a lot of FUD to sort through, be it an article that vastly overstates the “danger” of a new vulnerability or a vendor that claims they are the 100%, well, anything. Sure, with 20+ years in the industry and a lot of time in a uniform, I’ve picked up a few tips and tricks, but at the end of the day, I would say I’m adaptable, and adaptability helps build an agile organization.

If you could go back and focus on one skill before ‘leveling up’ to a CISO, what would it be?

Becky and Ian took the opposite views to focus more on the risk and team management skills. Here’s Becky.

I never ran a risk function, so I’d wish to have spent more time in this area before landing the CISO role. While I’ve had probably hundreds of risk-based conversations throughout my career prior to the CISO role, the language and slant is different from the CISO lens. I think experiencing ownership of that function in the past would have helped me to feel more comfortable going into the “deep end of risk” in the CISO shoes!

“Wow tough one,” said Ian. “Certainly, it would not be technical certs. I’ve got a bunch of them, but as I think about the question, I would say more opportunities to build teams. Most of my experience has been gained from ad-hoc team management as either an incident handler or on a security project or sec ops.”

Whilst your journey in the career is definitely going to affect where your expertise is and ultimately where you wish you had more experience in, the constant throughout my discussions were:

  1. Hands-on experience with technology is brilliant and will enhance your understanding in order to better understand the problems your organization faces and rate the risks proportionately.
  2. Most importantly, people matter, your team matters and the relationship you build with them affects your success.

My view is information security is:

People, process, and technology – but people are first for a reason.

Taking a bit of a different view, and actually in line with the whole purpose of my writing this article to begin with, Christian shares, “If I could go back, I wouldn’t want to level up. I’d want to start sooner. A misguided youth didn’t open my eyes to white hat security until very late, let alone the idea that I could even make a career out of it. But an area I wish I knew more about is mental resilience and emotional intelligence.”

Reality is, there is no perfect CISO; there is no true cookie-cutter for either the role or the person. I think organizations would massively benefit from a variety of persons pursuing this position, adding that context to industry trends, handling the team effectively and bringing insights from their industry experience. This can be either with an in-house or vCISO position. In order to achieve this, organizations will be required to ensure their hiring process allows for diverse opportunities. Targeting diverse persons who might be a strong CISO but may not originally have considered this is most interesting to me.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” What in the World Is a CISO?” appeared first on TripWire

Source:TripWire – Zoë Rose

Tags: Critical Severity, Encryption, Finance, TripWire

Continue Reading

Previous Just What The Cyber Doctors Ordered – OT For Pharmaceutical Companies
Next WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

1 hour ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

3 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

4 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

6 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

8 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

11 hours ago [email protected] (The Hacker News)

Recent Posts

  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach
  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT