Month: January 2024

Annual Planning For CISOs

The beginning of the year is a popular time for making personal resolutions, which can focus on health, finance or love. While the beginning of the year is a popular time to set resolutions, really what we are talking about is setting goals to improve ourselves. I’m a huge proponent of setting personal goals for the year because it gives focus and purpose to your actions. The beginning of the year is also a great time to review the annual goals of your security program to set your focus and establish priorities. Annual planning has several objectives that CISOs need to consider and include in their process and I’ll cover them in the rest of this post.

Strategic Planning (Strat Planning)

Strategic, or “strat” planning as it is sometimes called, looks at where the business and your organization want to be over a long term time period. Something like 18 months to 5 years is typical in strat planning. The planning session should include discussion of the one or more of the following macro level business topics:

  • Market forces and opportunities
  • Industry trends
  • Regulatory and legal landscape
  • Competition
  • Customer sentiment, goals, etc.
  • Economic and financial environment
  • Geo-political climate
  • Technology trends and latest research

This discussion could be part of a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats), but the goal is to understand where your business is and where you want it to go in the long term.

Align The Security Program

Once the business has a strategic plan, the CISO should conduct a similar planning exercise for where they want the security program to be. These are sometimes called “North Stars”, but they are essentially high level objectives over the long term that merge technology trends, regulatory requirements and security goals into long term objective. These won’t be very specific, but instead should act as guidance for where your team should focus and hopefully end up over the next few years.

Examples

An example of a strategic trend and security objective are as follows:

Trend: As companies shift from the datacenter to the cloud and bring your own device (BYOD), the concept of a traditional perimeter no longer makes sense.

Strategic Security Objective: Shift to a zero trust strategy where identity becomes the perimeter.

The goal is to choose big ticket objectives that will take multiple years to achieve, but will provide guidance to your org and the rest of the business about the direction your team is taking. Your strategic plan will inform the next section, which is your operational plan.

Operational Planning (Op Planning)

Operational planning is more tactical in nature and covers a shorter time period than strategic planning. Op planning usually follows either a fiscal or calendar year that way it aligns to performance reviews and budgeting cycles. In op planning the CISO will select the high level goals they want the security organization to complete that year. Usually op planning will include discussion and planning of the following:

  • Budget creation, forecasting and changes
  • Headcount planning
  • Technology investments (if any)
  • Top risks to focus on
  • Any audits or compliance certifications needed that year
  • Development of timing and roadmap for completing specific projects and tasks
  • Discussion of security controls and services
  • Skill gaps and training requirements

The point is to create a tactical plan for the year that will inform your team’s specific goals and objectives. These goals should be clear and measurable. I typically use an iterative approach to break my goals down to my directs and then they break their goals down to their teams and so on. This ensures alignment throughout the business.

Measuring and Adjusting

One important aspect of any plan is to continually measure progress and adjust if needed. Goals and objectives aren’t useful if the business has shifted and they are no longer relevant or have become un-obtainable.

Wrapping Up

Strategic and operational planning are important activities for every CISO. These plans define the long term vision for the security organization and break down that vision into tactical objectives that are accomplished throughout the year. This post discussed a high level overview of what goes into strategic and operational planning, but aligning security plans to business risk, mapping security controls, obtaining funding and reporting progress are all complex activities that every CISO needs to master.

Career Options Post CISO

Last year was a busy year for CISOs. Increased regulation from the SEC and other entities are raising the stakes for companies and CISOs. 2023 demonstrated that regulators and law enforcement are not only going to hold companies accountable for incidents and breaches, but they will also pursue accountability against individual CISOs. The CISO role is at an inflection point created by new technologies, increases in regulation and unprecedented personal risk. Given the high stakes of the role I think we are going to see an exodus in the number of people who are willing to shoulder the burden and personal liability of this role. Which begs the question: what are the options for someone after serving in a CISO role?

Serving On A Board

Serving on a board seems like a popular choice lately and now that the SEC has mandated cybersecurity experience on the board I think companies will look to increase their board membership with former CSOs and CISOs. The challenge with serving on a board is finding one that can compensate you sufficiently. I’ve served on several boards over the past 15 years and the compensation will depend on the company size and maturity. Start ups are typically able to offer compensation in the form of equity in the company, but this may turn out to be worthless if the company doesn’t make it. Big company board positions are few and far between, but will pay the best. My advice for CISOs looking to transition into a paying board position is to serve on a board or several boards in your spare time and then transition to become a full time, paid, board member if and when the company can support it.

Advisory CISO / CISO In Residence

One way to “float” between a CISO role and a board member role is to get connected with a Private Equity (PE) or venture Capital (VC) company as an Advisory CISO or CISO In Residence. These roles help the PE and VC companies evaluate potential investments and then help guide the companies to success. If you are an Advisory CISO you can evaluate the companies and if you see one you think has real potential you can choose to be their CISO or serve on their board. Advisory CISOs are not only compensated by the PE / VC company, but they “consult” to the investment companies on a periodic basis and sometimes they are offered the opportunity to invest in the companies they are advising. Not a bad gig.

Consultant

One of the most common post C-Level career paths is to become a consultant. If you are well connected, are in a critical industry or are just great with people, this can be a viable career option. The experience you have built up over your career still has value and companies will pay you handsomely for your time to help advise them. If you work for a company that is unwilling to protect you if you are sued then this may be a way to continue in a CISO capacity, but without the personal risk. I’ve known people who have quit their current role out of frustration and when the company realizes the expertise they are about to lose they hire the person back as a consultant.

Field CISO

Field CISOs are fancy titles for people that are in sales or pre-sales. They typically have a specific region they are assigned and they use the Field CISO title to establish executive relationships with other CISOs and C-Suite members to help sell products and services. Field CISOs typically have extensive industry experience in a particular vertical and then they use that expertise to help tailor solutions to their customers.

Title Change (But Still Security)

Another option post CISO role is to get a title change, but still work in a security related role. This could be something like a Chief Trust Officer or Chief Risk Officer. These roles can offer more flexibility to have a positive impact on the business because they aren’t constrained by the same expectations as a CISO role. At the end of they day you are still a C-Level security executive and can continue to advance your career towards your goals.

Role Change (Not Security)

CISOs are one of the few roles that touch every aspect of the business. As a result, CISOs are well versed in a lot of different business disciplines and it would be easy for a CISO to transition to a CTO, CIO, engineering executive or product executive. For example, a CISO who is looking to exit the role may look to join a security focused startup as their CTO. Their deep industry experience and past credentials will provide credibility and allow them to continue working in the security space in a different capacity. Eventually, they can even hire a CISO to report to them and have oversight over the security function.

Start A Company

CISOs are also well positioned to see gaps in the industry where a solution hasn’t been developed. Lots of well known companies have been formed by former security executives who have left their role to start a company to develop a security related product or service. Starting a company doesn’t mean you have to develop a new technology. You could also start a consulting company, a training company or a staffing company. If you are sitting on a great idea then this is a viable option for you.

Double Down

Lastly, if you enjoy the CISO role, but don’t feel supported or protected by your current company, then find a new CISO role that gives you the support and protection you seek. Part of the interview process for your new role should include questions about who the role reports to, what is the expected budget and headcount, will the role be included in the D&O Policy, what happens if you are personally sued, what is the severance package and how will success be measured? These should all be table stakes for any company looking to hire or retain a CISO and satisfying these requirements will go a long way to making your CISO feel comfortable that you have their back and won’t treat them as a scapegoat.

2023 End Of Year Review & 2024 Look Ahead

At the start of 2023 I created personal and professional goals for myself to speak at conferences more, attend more professional events and capture my professional experience in a series of blog posts. In this post I’ll share what worked, what didn’t and how my results compared to my goals. At the end I’ll discuss what my goals are for 2024

Blogging (and Podcasts)

Just before 2023 kicked off I created this blog, primarily to capture my experience as a way to give back to the industry and to catalog my professional experience as a historical reference for myself. The two biggest lessons learned are: just get started and be consistent.

Just Get Started

I talked to a lot of people in 2023 about this blog and a surprising number confessed they also wanted to write a blog or create a podcast, but hadn’t started for a number of reasons, such as:

  • “I’m not a good writer”
  • “Nobody wants to hear what I have to say”
  • “I don’t have time”
  • “I need to get permission”

It is easy to hide behind these excuses and never start so my advice is to stop procrastinating and just get started. No one cares if your grammar isn’t perfect or if your content isn’t perfect. If you need permission, then track down who can approve your content and remove that barrier. Getting started will allow you to iterate, try new things and learn how to get better. The only way you will be able to get started is to set some ground rules for yourself. I personally found I work best by setting aside time on the weekend to write a post and then reward myself with some screen time such as video games or a movie. I also found that I write better when I have an idea and start writing it as soon as possible. If I wait, I often forget my thought process and then don’t write about that topic. Lastly, I found keeping a running idea log on my phone worked well. Whenever I have an idea I write it down in the idea log with as much context as possible, often creating a rough outline on the spot. Then when I get in front my my computer I can fill in the rest of the post.

Be Consistent

My goal in 2023 was to write one blog post or LinkedIn post a week. This felt sustainable without being a massive time commitment every day that would distract from my day job. My secondary goal was to increase my number of readers, followers and connections both virtually and in person. Being consistent is the best way to accomplish all of these goals. I was most consistent when I set aside time on the weekend to write for a few hours before rewarding myself with another activity. I found writing a post on the weekend or during the week allowed me time to refine it before posting it. I also relied heavily on scheduling posts, which allowed me to write several posts when I felt inspired and then post them when I was ready. This also allowed me some wiggle room if I was sick or traveling. By being consistent you continually pop up in people’s feeds and the social media algorithms will begin to recommend your content to people, which will increase your follower base.

So How Did I Do In 2023?

At the start of 2023 I set a goal to write one post per week. On this blog I achieved 38 posts and a combined 94 LinkedIn posts (which includes the blog posts). I started 2023 with 2010 followers and 1938 LinkedIn connections. I now have 2392 followers and 2091 connections. In general I connect with anyone on LinkedIn, but I do prune the connections if people try to sell me stuff or abuse the connection. Overall, I saw a 20% increase in followers and an 8% increase in connections and I’m very happy with these results.

Networking Events

I attended dozens of networking and industry events in 2023 and these spawned tons of additional follow on meet ups. If I meet someone new at an event, I try to connect with them on LinkedIn and then meet up for coffee or drinks to get to know them better. The top events I attended in 2023 were:

  • Gartner Evanta CIO / CISO Summits
  • HMG Strategy Denver Summit
  • Colorado=Security CISO Dinner Series

Public Speaking

One of my 2023 goals was to get back on the public speaking circuit. There are a few security related conferences in Denver with the top one being the Rocky Mountain Information Security Conference. In 2023 I gave a talk at RMISC about “A CISO Primer On Legal Privilege,” which gave a high level overview of legal privilege and had great audience discussion around the topic. I also spoke at a smaller, more intimate conference put on by BrainGu called RS2. This conference wasn’t security specific, but it did have a wide variety of speakers and thought leaders. The smaller conference setting allowed for great networking opportunities and I met a lot of great people there. Lastly, in July 2023 I met Hunter Muller of HMG Strategy as part of being nominated as a 2024 CISO of the Year. At the HMG Denver Summit I spoke on a panel with 3 other CISOs about “Innovation in Cybersecurity”. The HMG conference was a fantastic opportunity to meet other technology executives and hear their lessons learned.

Other Activities

In 2023 I explored joining a few new advisory boards. I’ve been on the CIO/CISO Advisory Board for the Denver Gartner Evanta community for the past few years, but at the end of 2023 I was also asked to join the HMG Denver Advisory Board. I also joined the advisory board of Phoenix Security and the STAR network for 1011 Venture Capital. My goal in all of this is to expand my network, keep up to date with industry trends and give back to the security community.

In addition to advisory boards I also explored doing video blogs and podcasts with other leaders. Most notably, Milan Patel and I have been doing a series of video blogs about the intersection of security and compliance. This has been great to cross pollenate our ideas and also draw from a different pool of followers.

2024 Look Ahead

I had a busy year in 2023 and am very happy with my results. So what’s in store for 2024?

  1. Continue the blog with a focus on being more timely with hot topics. My most popular posts were the ones that discussed my thoughts on topics that had immediate relevance in the news or industry.
  2. Do more blogs, podcasts or webinars with other industry leaders.
  3. Submit to speak at conferences. I’ll plan to continue to submit to speak at RMISC, a Gartner Evanta event and an HGM Strategy Summit. If another opportunity pops up I’ll definitely write a post about it.
  4. Explore joining additional advisory boards. I am enjoying advising various companies and industry groups on how to navigate the complex cybersecurity market. My experience as a CISO, CTO and lifelong technologist provides perspective so I can help guide these groups to be successful.