When we become a CISO, we all know better to operate at the speed of the company, not operate like a racehorse for which I did in my first CISO job. I will admit, I was taken by cybersecurity adrenaline to put in an insane amount of hours to do whatever it takes to protect my past employer that ended up being my demise. While I exhibited a loyalist and high work ethic, I let the adrenaline of the cybersecurity issues get the best of me as I operated faster than all of the other executives, because I wanted to protect the company. I was fearful of a cybersecurity breach on my watch and this was totally about individual pride and ego.
Earlier in my career, I made this mistake myself without realizing until it was too late. For instance, I was the first CISO for a $2 billion holding company that was in dismal condition and under horrible IT leadership. I came in to be the new IT director for our business and functioned as the companies first CISO for five business units for a shared services IT model. I rebuilt the IT shop I was in charge of, kicked major butt by fixing problems and issues, turned the place around, built IT and cybersecurity programs, became compliant for SOX and PCI, improved reliability and up-time, reduced cyber risk, implemented layers of security, etc. to only be shown the door within one year.
I learned the hard way that I pushed too aggressively and people became “exhausted” with my endeavors. We all know that we have to moderate ourselves in our jobs, but with cybersecurity it is different.
CISOs have a less desirable position in a company compared to a VP of marketing for instance. The VP of marketing gets to do the fun sexy work of promoting the company and being creative and the CISO gets to be the person that is viewed as the company “police officer.” Everybody wants a police officer when they need one, but when they don’t, they want you gone. This is the life of a CISO regardless of how gregarious or likable you may be. Being a CISO is a very difficult position in a company and can be viewed as a “thankless” position.
While this advice may sound like typical “cookie cutter” leadership that is playing the “safe card,” it actually isn’t. I firmly believe in being bold, innovative, a thought leader, and a progressive leader, but this is very hard to perform because the role we need to carry out may limit our true ambitions.
Bottom line, go at the pace your company would like to see; don’t tire out your company to a point where the other executives experience your “cybersecurity exhaustion.”
Happy survival in the C-Suite.
Sign up for CIO Asia eNewsletters.