• United States



5 ways to tell you are not CISO material

Mar 28, 20237 mins
CSO and CISORisk Management

Cybersecurity professionals looking at the top job have the technical skills to be come a CISO but may wonder if they have what it takes to lead a team while ensuring management and board support. Here are five ways to tell if you are CISO material or not.

1798109056 decision making ciso soc
Credit: Gorodenkoff / Shutterstock

As the role of the CISO continues to grow in importance and gain more responsibility, many cybersecurity practitioners may wonder if they have what it takes to be successful in the role.

Technical expertise and experience are obviously huge assets. An effective CISO has the ability to evaluate and select security technology, communicate with technical staff and make crucial decisions about security infrastructure and architecture. Most already have experience leading and managing people, have established relationships with relevant stakeholders inside the organization and have lived through crisis situations. They know how to make quick decisions and drive change in the organization.

Some qualities, however, could be detrimental to the success as a CISO. Here are five that signal you probably are not CISO material.

Being risk averse

By definition, a CISO’s role is to manage cyber risk. That involves assessing and managing risk across the enterprise and making choices based on those assessments. If you are not able to make risk-based decisions or have a hard time figuring out how to prioritize threats — particularly in high-pressure, high-stress situations — you probably want to steer clear of the CISO role. The same is true if you have a tendency to avoid taking responsibility for your decisions and actions.

The CISO role is not for individuals who are averse to taking responsibility for an action they might advocate or implement, according to Chris Pierson, founder and CEO of Blackcloak. “If you approach things from the perspective of a CYA, adversarial, or risk avoidance mentality then you may decrease your ability to partner with others to achieve a combined mission or goal,” Pierson tells CSO. “Being someone who cannot tolerate, or own risk, may impact your ability to operate effectively and turn off other people to partnering with you.”

The role is certainly not for those who are afraid to make brutal calls in times of peril.

Wanting to do it all

CISOs are responsible for leading and managing teams of security professionals. As a CISO you need to be adept at managing people and communicating effectively with others. It means being willing to listen to and consider feedback from others. You are not CISO material if you are someone who has to “win” all the time and cannot negotiate with or agree with differing viewpoints or priorities, Pierson says.

Another big red flag is a general unwillingness to delegate responsibilities or to empower other security leaders because you figure you have a better grasp of what’s going on than others around you. Similarly, if you are unwilling to hire people because you think they are smarter than you, it’s best to abandon notions of being a CISO, Stan Black, CISO at Delinea, tells CSO. “If you ‘know’ you are smarter than everyone else, be prepared to have a nation state eat you for lunch. If you want recognition don’t worry, you will get plenty of attention when you are hacked.”

Those who have a hard time adapting to change, might want to avoid the CISO role, Nicholas McKenzie, CISO at Bugcrowd says. CISOs need to be nimble, on their feet and adapt their strategies with changing business requirements and the evolving threat landscape. You know you are not CISO grade if you are the type that “pigheadedly will implement controls which breaks processes or are abrasive to user or customer experience,” because you think that’s the right move.

You don’t like business speak

You are not CISO material if you lack a strong understanding of business requirements and goals to develop a security strategy that aligns with the organization’s objectives. If the thought of developing and implementing enterprise-wide security processes and managing budgets spooks you, it’s best to stay clear of the CISO role. Security leaders should have a good understanding of the regulatory and compliance requirements for their specific industry and the relevant data protection and privacy laws.

If you can’t understand your company’s business speak, business processes and where security controls can or could enable them further, you have no business being a CISO, McKenzie says. Security practitioners that are unable or unwilling to speak with vendors on a regular basis should stay clear from the CISO chair. “If you do not want to talk to vendors about leading technologies or new approaches, don’t take on the role as this is a key part of your job,” Pierson says.

At the end of the day, if you are the sort of individual that tends to place the security team’s goals above the company’s goals, the CISO job is the wrong opportunity for you. “Being a team player means that you understand your role at the company to protect customers, employees, and corporate data. But it all needs to fit into the larger picture of the company’s goals,” Pierson says.

You can’t sell security

Being a CISO means being able to sell security to management and to the ones who hold the purse strings. There are times when a CISO needs to be able to articulate and defend reasons for a bigger cybersecurity budget or for additional spending on a project. It’s hard to be the CISO if you don’t have that ability to make a convincing case for more security dollars when needed. If you aren’t the sort that can make a compelling reason to spend money on something that isn’t a direct revenue enabler, it’s best to stick with whatever role you have now, Stan Black says.

Often, one of the biggest detriments to being an effective CISO is a mindset that is overly focused on sticking within the budget, according to Larry Larsen, a security executive in the financial services sector who has held various cybersecurity leadership positions. Individuals who assume that CISOs get all the funding they require, are likely going to be unprepared for the reality. “If you cannot confidently go to the board and defend your proposed spend to defend against an increasingly sophisticated threat — and do it in a way that they understand — you should not be sitting in the big chair,” Larsen says.

Being overly technical

Technical skills are essential to good cybersecurity. But being overly technical is a drawback because it indicates that your approach as a CISO would likely favor throwing technology at every security challenge. The reality is that as a security leader your role really is to manage cyber risk while enabling your organization to continue meeting business objectives.

“[Individuals who] think that implementing ‘a tool’ or achieving an audit or compliance control checklist is the panacea to all security problems, are not exactly CISO material,” says McKenzie. If you think security is black or white, you might struggle in the CISO role. The same applies if you are unable to adapt your thinking and strategy to keep up with the changing threat landscape and business direction, a CISO role is not for you,” he adds.

An overly technical focus is a disqualification in other ways, according to Larsen. Individuals who think being a CISO is all about ensuring the organization has the latest next-gen firewalls, adaptive endpoint detection and response tooling and other technologies, often fail to appreciate the behavioral and motivational aspects of the bad guys behind the attacks.

“What do they really want? Why are they hitting my institution? Who are they working with? These and a lot of other variables must be considered if you are to get ahead of the threat, much less respond when it hits your wire.”