One factor that is necessary for long-term success is compromise, which, essentially, means being able to help the enterprise meet its goals while keeping risks within acceptable tolerance levels. "Part of why I think compromise is such an important skill for a CISO or security professional is that many of us are trained to say 'no' on new initiatives without trying to make a pathway to get to 'yes,'" says Williams.
Williams recalled a recent conversation with a CISO at a large company in which he proclaimed to "unequivocally" ban BYOD from his organization. What the CISO didn't appear to understand was that it was happening anyway, explains Williams, behind his and the IT department's backs. "People found ways to bring certain work items to their personal devices through cloud sharing applications such as Dropbox and Evernote. The business he supported clearly had a need for some of these services, but his stubbornness ultimately led his users to work around him," he says.
Effective Habit 3: Creativity.
It's no secret that the adversary is quite creative and these intelligent, dynamic, creative, and motivated attacker and security pros need those same skills to match.
In addition to defense, creativity also helps solve technical problems. For example, Williams relays the time when a client was exploring a mobile point-of-sale system to be used for sales from outside their primary place of business. "The CISO never outright said 'no,' but instead worked through the requirements of the business, found acceptable solutions that met the company's security goals, passed on some of the cost of this to the business owner, and was able to get a solution working," says Williams.
This is one example of how creative security professionals can improve their relationships with other business stakeholders and lower risk more effectively.
Effective Habit 4: Root Cause Analysis Skills/Problem Solving.
According to Digital Trust's Martin, root cause analysis and troubleshooting skills are necessary because it's impossible to train for the unknown, and there will be plenty of unknowns to analyze in the typical security career.
"Nobody can know everything about everything, and there is always something new, different, or strange that comes along," he says. This is why for his practice, Martin seeks candidates who, in addition to possessing good levels of competence in security, have savvy problem solving skills. "They won't know how to solve a new problem immediately, but they'll figure it out pretty fast. This is essentially the heart of hacking; figuring new stuff out. Without the ability to think on your feet and figure previously un-encountered stuff out, how will they respond to a mysterious change in a box configuration, or the latest zero-day," he asks.
Sign up for CIO Asia eNewsletters.