What does it take to be a successful CISO? It’s a question we’ve asked many times during interviews and panel discussions, and the answers have been enlightening. As with CIOs, the role of information security and privacy officers has evolved quite a bit in recent years – and will likely continue to do so. It’s no longer just about preventing phishing attacks (although that is extremely important).
Below, we’ve compiled insights delivered by CISOs during recent podcast and panel discussions on how leaders can successfully navigate the space, and what qualities they believe are most important.
Have the right conversations
“It’s really important to surround yourself with teammates that further complement the gaps we may have as individuals, while still serving the full context of the CISO role.” It’s also important to be able to “have the right conversations with your stakeholders to either advocate for better security or point out when a particular proposition poses a risk the organization.”
–Sanjeev Sah, CISO, Centura Health
We’re business people first
“The key to success is the relationships; the non-technical, the non-security relationships. I think working with risk and working with legal helps people understand that we’re businesspeople first. Our job just happens to be managing the technical and security risk of the organization. But they need to know that we’re as committed to the business outcomes as they are. When you have that trust and confidence, it’s really easy to get support and buy-in. If you don’t have it. It’s almost impossible to get that buy-in.
–Michael Carr, CISO & CTO, Health First
Think beyond technology
“At the end of the day, we’re here to support the organization’s objectives. That’s one of the things people don’t realize when they move into this role – this is not as much a technical role as it is a strategic business leadership position. I still have to understand technical things, but more of my job is working on business problems and helping to make secure business processes. I have to be able to understand both very much in order to be effective.”
–Sahan Fernando, CIO, Rady Children’s Hospital
People are “precious resources”
“I think a lot of people outside of our field think of security as needing some sort of technology as the secret to it, but really it’s your people and the amount of time you have. Those are the precious resources. Whenever you’re buying a tool, you have to take those things into consideration: how long is it until we see value in the tool? And how many people is it going to take to maintain and support and manage the tool? If we try and maximize those things; it’s a factor in business decisions.”
–Michael Erickson, CISO, Baptist Health System
“You can’t be the alpha”
“You can’t impede the business, even on the contract side. If you make it too difficult to pass through a contract, they’re going to start going around you. With information security, if you make the process very simple and get the security part out of the way, they’ll be your partner. They’ll look up to you. They’ll trust you. For CISOs, relationship building is key. You can’t be the alpha department in the organization. You need to blend with them. You need to help them. You need to assist them in their endeavors to care for patients.
–Jesse Fasolo, CISO, St. Joseph’s Health
“You need some type of outlet because, especially CISOs, if you don’t find some balance, you’re going to burn yourself out pretty quickly. It’s a very stressful and draining job. For me, I try to spend as much time as I can with my family. That’s kind of my happy place. I’m an outdoorsman, so I like hunting and fishing. For me, sitting on a quiet lake fishing or sitting in a deer stand, that can be very therapeutic sometimes, a nice break from the alerts and phones and emails.”
–Steve Crocker, CISO, Methodist Le Bonheur Healthcare
Don’t be a hammer
“Be a partner. Don’t be a hammer. Don’t be an auditor. Be a partner as a CISO, support your business. Support your clinical teams. Support your operational teams. Support your technology partners. The more you support them, the more you assess risk appropriately, the more you ensure that they have what they need to be successful, the more you’re going to be successful because they will ensure you have what you need. When that critical risk comes along, when you need to shut something down, or you need to patch something urgently, they’re going to be more supportive of you.”
–Anthony Longo, CISO, Baptist Health South Florida