Recently, a terrific story on CSO Magazine online was published by Tayler Armerding that highlighted how CISOs are seen in such a poor light given a recent ThreatTrack report that surveyed 203 C-Suite executives. In general, the viewpoints of CISOs were very disappointing. As CISOs, we have been seeing a lot of “unplanned” movement in the industry as well.
As part of the Surviving The C-Suite Blog on CSO Magazine, I wanted to share the experiences of other executives to raise and elevate the profile of the CISO in the C-Suite. The goal is to make the CISO successful and thrive in an organization, not viewed as the “anti-business” department that does not know how to fit with the rest of the organization.
We have seen many CISOs come and go over the years; however, a critical point a CISO needs to achieve is the three-year mark within their own company. It demonstrates that not only can a CISO lead a cybersecurity program and manage risk for an enterprise, but also can work across the enterprise with other C-Suite executives. This is very important because in most cases it demonstrates they can politically survive and even thrive as a CISO. It’s no secret a CISO position can be a very contentious position, but a successful CISO can determine his own future with a company and not have it defined by another executive.
I spoke with the distinguished Kim Jones, Global SVP & CSO of Vantiv based in Cincinnati, Ohio. Kim relocated from Scottsdale, Ariz., over three years ago to lead the No.3 credit card processor in the USA. When I reached out to Kim, I wanted to see how he has been successful at Vantiv and how he functions with other executives. In addition, I also asked what is it like to deal with target on your back at times, and how to balance business needs against securing a major corporation.
You have been with Vantiv as an SVP & CSO for one of the top three credit card processors in the USA. For the past three years, what are some of the attributes that have made you successful in your position?
For me the key component to successful security leadership is to remember you are a business leader first and foremost. My job is always to enable the business and look for ways to help the business succeed. This is more than just a slogan or a catch phrase; it is a philosophy and approach to how I do the job and how I expect my team to do the job. "No" may have to be the first answer, but "how" must always be the last.
When you reflect back on your own career as a CSO, what was your biggest mistake, what did you learn from the mistake, and how did you recover from the mistake?
I have been told that I think in a non-linear fashion; this helped me tremendously as an intelligence analyst in the service. The problem is, though, that I tended to (accurately) leap to the conclusion about an issue without laying out the steps, thinking that everyone could see the same thing I did. This really hampered my ability to communicate to non-security/non-IT folks early in my career. I spent a long time (with the help of good mentors) learning how to communicate and lay out the step so that others could reach the conclusions I was leaping to.
What should CISOs be doing in order to work well with the business units within the enterprise?
Get out of your office and go talk to your business partners -- and their bosses. I still make a habit of walking the floors of my headquarters building twice a day...and that includes a swing through the executive wing. I duck into offices and cubes regularly just to see what is going on and what I can help with. I get more information and conduct more business during my 'walkabout' than any other time.
What tips would you offer a first-time CISO coming out of the gate into a new CISO position?
Whenever I take a new gig, my first investment is a $500 Starbucks card. I then spend the better part of the next month taking key leaders and influences to coffee. Many people do not have time for a meal, but everyone has time for a cup of coffee. anyway, I ask these folks the same three questions every time: (1) tell me how you make money; (2) what keeps you up at night; and (3) if there is one thing I could do in my area to make things easier for them, what would it be. You do this for a bit and not only will you get a good understanding of how the organization works but you will quickly identify some low-hanging fruit re: what makes sense for you to tackle first as a CSO. It is a simple technique, but it works for me.