Tag: #leadership

Your CISO Has Career Goals Too

I’ve been thinking about performance reviews lately and how they are a time for you to receive feedback from your manager about how you have performed over a specific time period. It is an opportunity for the employee to communicate achievements that demonstrate growth and it is also a time for the manager to give direct feedback on behavior that needs to start, stop or continue. These discussions typically involve a conversation around what goals the employee has and how the manager can best support them. However, one thing the employee should keep in mind is your manager has goals too. For the CISO this could be business objectives such as improving incident response times, lowering risk or becoming compliant with a new regulation. There could also be personal goals like speaking at a conference, serving on an advisory board or getting promoted to the next job level (e.g. Director to Vice President). The important thing to remember is – everyone has goals no matter what level they are at. Understanding these goals can help employees understand the personal motivations of their direct manager so they can support them if the opportunity arises.

Managing Up

Managing up is a key concept for employees to understand and master throughout their career. Managing up involves influencing, providing context and helping your direct manager understand ways they can best support you. Yet, employee manager interaction should be a two way dialogue. In the same way managers employ situational leadership to lead employees based on their personalities, employees should also seek to understand their manager’s motivations so they can best support them.

Find Out What Goals They Have

One of the easiest ways to support your manager is to bond with them by getting to know them on a personal level. Ask them what personal goals they have, what motivates them, what parts of their current job do they enjoy and what parts do they try to avoid? Maybe your CISO also wants to gain more responsibility by building a privacy function. Or, perhaps they have identified a new risk to the business and need to put together a team to address it. Your CISO is a human being and they have career and personal goals just like anyone else. By asking questions about their goals, your CISO can discuss them with you and gauge how to best involve you so you can both get ahead. Here is a short list of goals your CISO may have:

Personal Goals

  • Speak at a conference
  • Gain a new certification
  • Obtain an new degree or complete a certificate program
  • Get promoted to the next career level
  • Serve on an advisory board
  • Expand their professional network
  • Learn a new skill
  • Understand an emerging technology

Business Goals

  • Obtain a compliance certification (ISO, SOC, FedRAMP, etc.)
  • Take on a new responsibility
  • Achieve an objective or KPI (e.g. reduce risk, reduce response times, etc.)
  • Establish a new strategic partnership
  • Stop doing something that frustrates them

What Can You Do To Support Their Goals

Once you understand the personal and career goals of your CISO you can begin to align some of your career goals to support them. This could mean completing objectives that directly align to the business objectives for the CISO. Or, it could mean offloading your CISO from activities that frustrate them so you can gain experience and grow your career. This will free up the CISO to take on new activities and you can advance your career by drafting in their wake. This is also an opportunity for you to offer suggestions about where you think you can offer the greatest assistance for areas that align to your own career goals and personal interests.

Wrapping Up

Performance reviews and career management shouldn’t be a one way activity. Employees who understand the personal and career goals of their CISO can better align their activities to support them. This can lead to learning new skills, taking on new responsibilities and accelerating their career progression. Next time you have a performance review conversation with your manager, take the time to ask your manager what goals they have and how you can best support them because it will pay dividends in the long run.

Defining Your Security Organization

Whether you are inheriting an existing security team, or building an entirely new function, one of the first things you should do after building a strategic plan and creating an organization plan is to define what you want your security organization to look like. This step builds upon the organization plan by defining what each role in your organization will do (including skillsets), what the career path is for each role and what success looks like for each job function. This will not only help define the details or your organization plan, but it will help lay the foundation for how you want to build your organization (if you are starting from scratch). If you are inheriting and organization it can help you establish your expectations by clearly defining what you want from each part of your organization. It can also help you plan for a re-org or help to diagnose performance issues with a particular team or within the overall security org.

If you are part of a large organization most or all of this will be defined by your HR department, but I still find it useful to tailor the general HR approach to your specific security organization. If you are part of a start up or small organization then you may need to define everything yourself.

Mission Statement

First, I recommend creating a mission statement. This should be a really short statement about the overall purpose of the security organization. This mission statement will not only help to clarify what your group is trying to achieve, but it will also give a sense of purpose to the security practitioners within the security org. I recommend creating a mission state at the org level and then for each function within the security org to help clarify the purpose of that function. This will be useful to explain what your security functions do, especially when interfacing with non-security groups like legal, finance, hr, etc.

Example:

The mission of the security org is to enable [company x] to effectively manage risk related to security and privacy of our products and services.

Role Definitions

Once you have defined the purpose of your org, you will want to look at your organization plan and define what each role will do. Security Engineers, Security Architects, DevSecOps Engineer, Governance & Risk Practitioner, Incident Response Analyst, etc. will all need a short description of what the role will do. Going through this exercise will serve three purposes. First, if you need to hire for any of these roles you can use most of this information in the job description. Second, if you already have people in the role, it will help clarify your vision for the purpose of that role. Lastly, if you need to request budget, these role definitions will help explain what these people are going to do as part of the budget request.

Example Role Definition: Security Engineer

Designs, builds, configures, diagnoses, integrates and maintains security tooling required by the security organization. Establishes requirements, performs trade-off analyses and recommends tool selection. May work with other IT or engineering groups within the organization.

Career Paths

Once you have the roles defined you will want to establish career paths for these roles. Establishing career paths will require you to think about the scope and impact of each level of the role. For example, if you have 5 levels in your organization you will need to define titles for each level, the skillsets for each level and how those skills increase in scope and impact. You will need to do this for both individual contributor roles and management roles. I recommend breaking out the skills into general and role specific.

General Skills

General skills are skills required by all employees in your organization. These include things like communication, strategic thinking, agility and collaboration. If you are part of a large organization, these skills should already by defined so you can work with your HR team to adapt them to your security function and then define what each employee should be demonstrating at each career level.

Example: Communication

  • Level 1 – Able to articulate clearly and concisely when communicating
  • Level 2 – Able to convey thoughts and opinions in a compelling manner to the appropriate audience
  • Level 3 – Gains support for new projects by clearly communicating value and  addressing concerns
  • Level 4 – Builds networks throughout the organization to support large initiatives and future endeavors
  • Level 5 – Champions strategic initiatives in ways that generate organization wide support
Role Specific Skills
 

Role specific skills are skills required by each role. They are unique. An engineer may require hands on knowledge of specific security tooling and the underlying platforms. An incident response analyst will require in depth knowledge of how to respond, contain and recover from an incident. Governance and Risk analysts may require specific regulatory knowledge. Input for these skills can come from the CIS or NIST control sets, industry job postings and industry certification requirements. All of these need to be defined in increasing scope and responsibility so employees know what is expected and can prepare for the next level of the role.

Example: Security Engineer

  • Level 1 – Demonstrates a working knowledge of security engineering concepts such as network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
  • Level 2 – Demonstrates a detailed knowledge of one of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
  • Level 3 – Demonstrates a detailed knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
  • Level 4 – Demonstrates a expert knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
  • Level 5 – Demonstrates and applies expert knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.

The career paths will help you during budget requests to justify why you need a specific role level. For example, maybe an upcoming initiative is really critical and has a tight timeline so you need to hire someone very senior so they can start making an impact right away. Alternatively, maybe you want to hire a more junior person because it will fit in the budget, but now you need to plan to train them and ultimately, the project will take longer to complete.

Career paths will also help clarify what your team members should be working on to get promoted to the next level. They are also useful during goal setting, career conversations, performance reviews and mentoring sessions.

Example Career Path: Security Engineer

  • Level 1: Associate Security Engineer
  • Level 2: Security Engineer
  • Level 3: Senior Security Engineer
  • Level 4: Principal Security Engineer
  • Level 5: Distinguished Security Engineer

Scope and Impact

The last thing you should do as part of this exercise is define the scope and impact for each career level. Defining scope and impact gives further clarity to your team members about how they should be thinking about their role and what success looks like. It defines what part of the organization they should spend their time in and who (or what level) they should think about interacting with.

Example: Scope & Impact

Scope and Impact

At the end of this exercise you will be left will a very detailed explanation of not only what your security organization looks like, but what success looks like as well. Your Role Definitions will provide a short description of each role, your Career Paths will help define the levels and performance expectations for each role and the Scope and Impact will define the level where each role is expected to contribute. All of this will become a reference guide for every single member in your security org and will help you as the CSO to budget, plan, diagnose and shape your organization to achieve success.

Conquering Impostor Syndrome

Over the past eighth years I have been shifting my personal interests from reading technical books to reading books on mental performance. Navy SEALs like to say their training is 10% physical and 90% mental and I think this holds true for a lot of endeavors in life. The security industry is inundated with training courses about how to penetration test, how to be an incident responder or how to become a CISO. However, if you want to strengthen your mind to handle the stress of a security role you have to leave the community and seek answers in other places like extreme sports, the military or even self help.

Mental Health is an extremely important aspect of career management that often gets overlooked or neglected. The security community is notorious for burnout because the issues we deal with on a daily basis have a sense of urgency or feel never ending. One important mental health issue that is particularly pervasive within the security community is Impostor Syndrome, which is when people who are otherwise talented or successful still feel as if they are a fraud.

I have personally experienced both burnout and impostor syndrome throughout my career and in my experience impostor syndrome is caused by a fundamental lack of belief in oneself. Therefore, in order to overcome impostor syndrome one must somehow boost their own confidence, which can be difficult because it is tough to self assess.

Understanding the problem

In order to overcome impostor syndrome it is important to first diagnose and understand the problem by asking the question:

What part of your life, career or skillset makes you feel like a fraud?

Perhaps you recently received a promotion, but haven’t received training or coaching to build the necessary skills in that role?

Or, maybe you have the skills, but you haven’t received feedback or validation that these are the right skills to have?

Maybe you are worried your skills are sub-par compared to other people you see at conferences or who you interact with regularly?

Whatever the issue, it is important to be honest with yourself about what makes you feel like a fraud. This is an important step because once you identify the issue you can build a plan to address the problem.

Develop A Balanced Approach

One of the most impactful books I’ve read on mental performance is called With Winning In Mind by Lanny Bassham. This book discusses different parts of the human psyche that need to be in balance in order to avoid psychological performance issues like Impostor Syndrome. With Winning In Mind discusses how to balance the Conscious mind, Sub-conscious mind and the Self Image to achieve balance of the psyche and ultimate performance.

In my opinion, Impostor Syndrome is caused by an imbalance in the Self-Image. The self image has not developed in line with the knowledge, career progression or skillsets possessed by an individual. As a result the individual lacks confidence in themselves and needs to spend time building up their self image to conquer impostor syndrome.

Building (Or Rebuilding) Your Self Image

Below are the steps I recommend you follow in order to overcome Impostor Syndrome. These steps require work and dedication, but if you commit and follow through it will be worth it in the end. The steps are as follows:

  1. Identify the skills or character traits in which you lack confidence. Write these down.
  2. Develop a plan to train or develop each area so you can begin to build confidence in that area.
  3. Create positive affirmations to reinforce your training and build your self image. Put these in prominent places (fridge, desk, mirror, car dashboard, etc.) that you see daily and repeat them to yourself whenever you see them.
  4. Record your progress in a journal and review regularly.

Example

  1. Identify skills – I feel like an impostor when I speak in public. “I want to be a better public speaker”
  2. Develop a plan – “I will practice public speaking for 15 minutes a day, while recording myself. I will review the recording each time and make a plan for the following day for how to improve.”
  3. Create Positive Affirmations – “It is like me to be a great public speaker”
  4. Record your progress

Wrapping Up

Impostor Syndrome is a common psychological performance issue, particularly in the security community and it is caused by fundamental lack of confidence in oneself. By honestly identifying where you lack confidence, you can develop a plan that will help you improve your self image and ultimately overcome the feeling that you are a fraud. If you suffer from impostor syndrome I encourage you to speak openly and honestly about it with a mentor, trusted colleague or mental health professional who can help you create a plan to overcome the issue because impostor syndrome can cause you to psychologically hold yourself back from truly achieving your fullest potential.