The Special Opportunity and Skills Needed for the First CISO at an Organization
Being the first CISO at an organization is different than taking an existing program to a higher level. I have had the good fortune of doing this twice and they were career-highlight experiences. Building from a blank slate is an incredible chance to drive change and leave a legacy, and it has several distinct differences that call for specific skills.
There are core skills that are table stakes for being a successful CISO:
Broad and strategic understanding of technology, data, and cybersecurity – knowing what good looks like from a security perspective.
Business acumen - understanding and speaking the language of business and being able to align the security program with business strategy and risk appetite.
Executive presence – the communication skills, judgement, and self-awareness to fit your organization’s culture and influence business leaders.
Strong management and development of people.
Delivery on projects and goals.
Attention to detail on administrative tasks – budget, HR matters, performance goals and reviews, etc.
Industry knowledge, including understanding of security and privacy regulations.
The first CISO at an organization needs those capabilities and more to blaze a new trail. The nuances of being the first in the role – doing something that is new for the entire organization, call for several additional skills:
A patient and positive temperament. Being the first CISO means breaking the ice and establishing new norms in multiple areas - leadership team communications, working with business partners, communicating with the workforce, exposing and measuring risks, establishing new policies and standards, and creating processes. Those will all be new to the organization and the other leaders, and both people and organizations tend to have limits on how much change they can comfortably manage. A new CISO may face pushback, and it will require a reserve of patience and the ability to remain even-keel to navigate.
Ability to explain “the why” behind security measures in understandable terms at all levels of the organization. Helping colleagues buy into new processes and requirements means continual education and effective communication to the workforce, management, senior leadership, and the board.
Being a culture builder. A major part of the CISO role is being a culture builder by communicating, setting expectations, and serving as an example –
First, for the security team – creating the right mindset, business alignment, and collaborative approach to doing business.
Then, across the enterprise – being an evangelist for security who can create a mindset that security is part of everyone’s job.
Strong external networking. The first CISO may need to attract people to their team and will also want to take maximum advantage of sharing of best practices. Having external connections with leaders and industry groups can help the CISO stay current and set the right strategic direction.
Flexibility and humor. This could go together with patience and temperament. Flexibility is needed for working through first-time challenges, and humor is an asset and valuable element of building culture. Starting a new program is fraught with unexpected obstacles, and a leader must be able to correct course and at times, laugh.
Courage, confidence, and vision. As a first time CISO sets direction to start their program, they will inevitably face questions with ambiguous answers and no set references, may have to tackle sacred cows, and must be willing to engage in constructive conflict. Having the courage to speak up, the confidence to hold their position, and inner compass to set the true north for their program strategy are essential.
Personal balance. Ability to put a stake in the ground for family time, physical fitness, diversity of activities and hobbies will be important to maintain the energy and positive outlook needed.
A compelling argument can be made that every CISO role needs these leadership traits, but they are especially valuable in the case of an organization’s first CISO.
The chance to build a program from the ground up is a rare and wonderful experience. If the opportunity comes your way – jump for it. It will push your limits as a leader and can be a career defining accomplishment.
Hold Fast
Stay True