Security leaders need to explore before they can exploit

“I mean, you can’t manage something until you know what you’ve got. So, before you can exploit, you explore.”

That’s how Robert Ballard — best known for discovering the Titanic — explains his current focus. He is mapping the vast expanse of water that comprises the United States (read more here).

Ballard is exploring uncharted waters to inventory and understand how to exploit the value. Much like the modern security leader.

As security leaders, how do we earn our position in the executive suite? How do we ready ourselves for the position?

Kevin West, CEO of K logix (Twitter, LinkedIn), invests time interviewing and profiling CISOs. He recently shared some findings in “Feats of Strength” (link to download).

What 40 interviews reveal: have you earned the right?

Some key findings from the work include:

• Most CISOs average 13 months in the role

• The bulk of CISOs are in their first “leadership” role

• Only 15% of CISOs report to the CEO

The majority of the CISOs believe they will report to the CEO in the future. Perhaps true, we have a long way to go. And while anecdotal, Kevin noticed an interesting trend.  Most who report to the CEO today are in their second or third stint as a security leader.

Perhaps they’ve earned the position?

Many organizations consider security leaders as “security resources with teams.”

It’s a journey to develop the foundation and competencies necessary to prove leadership. The CISO is a new position in most organizations. With less definition in the position itself, have you earned the recognition as a leader?

Have you earned the right to report to the CEO?

The CISO position is immature

As an industry, we’re struggling with the CISO position. We’re working to define what it is, required competencies , reporting structure, and the like.

By contrast, consider the still-evolving position of the CIO. In most organizations, the CIO handles the information. In recent years, an expressed interest in security evolved into a top-level concern. Their interest in security is influential on the role of the CISO.

A CIO might delegate security to the CISO so they can focus on enablement and productivity? In the process, does that elevate the position of security? Does the CIO have a responsibility to protect the information? Do they have a natural and vested interest in keeping security under their purview?

The question to consider is whether security plays a broader role than just technology.  What about integrating physical security? Where does fraud control fit? Compliance? And as more companies move to the cloud, the importance of governance increases.

Do you want to be on your own?

The growing importance of security reveals a struggle with vision and business alignment.

Kevin shared a trait observed in successful CISOs. They “enable the team to execute on the business plan — with a technical mindset.”

Many in security advocate for a leadership role that reports to the CEO. Kevin’s research suggests “it’s not smart right now for most to separate it out.”

Few organizations are ready for a CISO in the executive suite. In reality, few security leaders are ready for it today.

For example, Kevin shared a hospital CISO he worked with that fought to get out of CIO/IT. He cited the direct conflict of interest (familiar approach?). He immediately learned the job got harder, not easier. It forced him to rebuild. He needed to start over.

In my experience, leadership is a journey.

It starts by understanding where we are. As individuals. Within the organization. And as an industry.

With an accurate picture we ask, “what do they need?” Then we have a goal. A direction to progress. That’s how we advance from practitioners to leaders. How we earn our spot in the executive suite.

That means security leaders must explore before they exploit

A security leader needs to rank assets and efforts to create value. To protect the right things means knowing what matters. Accurate insights and understanding lead to better decisions.

Security leaders face pressures no other leader in the organization has. Or understands. But they are not alone. The key is mapping opportunities and engaging the right people in the right way.

That’s where the advice from Ballard comes into play. Security leaders need to explore before they exploit.

Exploit? Isn’t that what our attackers do?

Without a doubt, exploit holds a negative connotation in the security industry. Yet the verb “exploit” means to use a resource completely, in a way that creates the most value.

Start by exploring, discovering, and mapping value to the organization. Start by finding out the answers to three basic questions:

• Where does the company make money?

• How does the company grow?

• What puts our ability to make money and grow in jeopardy?

Security is unique. We gain insights into the corners of the business. We know what got swept under the rug. We learn about what challenges people face.

We also see the brilliance of the organization. The successful programs. The work of people to protect information and advance the business.

We are an untapped conduit to bring people together. Use the exploration as an opportunity to establish trust and credibility with others.

Get started now

The good news is organizations realize the growing importance of security. The struggle to understand the role of the security leader creates opportunities. It is time for security practitioners to journey from technical resource to recognized leader.

What can you learn in the next 100 days?

Instead of a call to “think like an attacker,” act like a leader. Embark on your own exploration. Learn about your organization and the people that comprise it. Explore how the business works. Identify protections and areas for improvement.

Go a step further. Find out what assets, resources, interests, and talents are available.

Then step back and consider how to best exploit what is available to you to create the most value for the company. Align your energy and efforts with what you discover. All while improving the security and protection of the organization.

One more step on the journey from security practitioner to recognized leader.