What Got Us Here: A CISO's Perspective

Originally published by CXO REvolutionaries.

Written by Ben Corll, CISO in Residence, Zscaler.

I recently read “What Got You Here Won't Get You There” by Marshall Goldsmith. The book's premise, as the title suggests, is that the things that got you where you are today may not get you where you want to be tomorrow. While jotting down a quick summary of the book (something I do to help me better remember a book and overcome my ADHD tendencies), I started to relate its teachings to cyber.

I share similar sentiments when I teach the SANS MGT514 class. Excelling at your craft is what got you to the security manager or leader position. It will take different skills to move further in your career and up the chain of command. If anyone has had the pleasure (or displeasure) of attending my recent Evanta keynotes, you've heard me talk about how my career thrived by building security programs. As successful as I've been, I also strongly believe that the processes, products, and mindset I used in the past are insufficient to protect organizations going forward.

I want to share some points from the book that I believe ring true for the cyber industry. First, one has to be realistic when deciding what to change. Change is hard. Like most business units, cyber doesn't have all the resources we'd like. We don't have all the people, budget, or time we'd prefer to conduct our operations. As such, we must prioritize. We must approach change in three consecutive steps:

1. List what needs to change.
2. Determine what on the list can be changed
3. Consider the effort required to make the change

These steps help us prioritize the efforts and projects that are most likely to be successful and provide the best return on investment.

While change is hard, it is not impossible. We just need to be intentional. Realize that we can change. Recognize if we can change, so can others. It is important to give people the space they need to grow. I built my career on legacy technology – perimeter firewalls and host-based antivirus with old-school signature databases. It worked for us. Now, threats and technology have evolved, so we need to upskill our teams and embrace new ways of doing things.

For instance, I don't assume perimeter-based protection is sufficient. Why not? Because data and users no longer sit in a single location! My controls must follow the data (and users) to where they are today. Otherwise, I will lose visibility or have to backhaul all their data to my location, something many businesses are still doing. This hamfisted approach introduces latency into the workflow and results in users having a sluggish digital experience. Just because organizations have always done it this way doesn't mean it'll work going forward. It’s time to be open to change.

In my last role, where I had the privilege to lead the cyber and data protection efforts for a global manufacturing company, I had a bit of a wake-up call. No, not a material breach. I started to design a program built on my previous experience. After all, my previous experience was instrumental in landing me the new role. However, the company was in the beginning stages of a full digital transformation. They were starting to move things to the cloud. If I had limited my thinking to what I knew, I would have led my team into architecting, designing, and delivering a solution that was unsuitable.

My second point is the need to stay humble, even when running business units. Keep an open mind. Allow your smart people to let you know about the new "art of the possible." Just because something worked before doesn't mean it will be effective in the future. I can say with certainty that I would not have succeeded in my last role had I insisted on recycling ideas from previous companies.

Speaking of staying humble, I often remind myself that no person or program is perfect. Many CISOs and security professionals start their presentations by stating that data breaches are a matter of “when, not if.” I won't digress much on this point; I'll just say that Goldsmith reminds us that nobody is perfect. Those who act infallible annoy everyone around them. Don't be that person. Also, don't fall into the trap of chasing perfection. As you work to mature or progress your program, focus on what it needs and not mindlessly tick checkboxes. If you follow a maturity model, like CMMI, don't push to progress a company to level five simply because that’s the highest level. There has to be a reason and a purpose that applies to your organization. Achieving a perfect score with some abstract security model is far less important than managing and reducing your organization’s risk.

Being risk-focused aligns with another point from Goldsmith's book: we need to find and fix flaws. Goldsmith was referring to fixing personality flaws that might be causing friction in the business. From a cyber perspective, we need to find where our processes are causing friction in the business. View everything through the lens of risk. If we're not managing risk and providing value, our efforts may be annoying or hindering the business. Find out where the security processes cause friction and see if you can change them to improve the business. Understanding the business is a large part of moving from a security engineer to a security leader. By finding and fixing flaws (or friction points), you are doing good for your organization’s health, not just security.

The last point related to cyber was the lesson that we must remain open to the process of change throughout the entire experience. Things are going to take time. We cannot build and direct our programs overnight. Long before the first steps of an initiative, we have to influence the change, which, again, takes time. Extend your patience by looking for small and subtle victories. Take the small wins. Socialize them. Also, nurture new habits you want to see thrive in yourself, your team, and the rest of the business. Perception and reputation take time to build. Repairing lost trust takes much longer!

Take your time. Do it right. Do it well. Keep going.

I truly enjoyed reading “What Got Us Here Won't Get You There.” I hope you found my observations on how they apply to our industry helpful and relatable.