• United States



Christopher Burgess
Contributing Writer

Want to make cybersecurity much stronger? Become a mentor

Jul 17, 20236 mins
C-SuiteData and Information SecurityIT Leadership

A community of mentorship builds stronger CISOs and is good for the cyber industry. Making it happen is simple: if you have a problem, reach out. If someone reaches out, answer the call.

business man calling on a smartphone and looking at a laptop computer in a network data center
Credit: Shutterstock

Those who have been around the world of cybersecurity for a while have long realized the importance of the chief information security officer's (CISO) role in leading teams charged with maintaining the security of corporate data and much, much more. But both freshly minted and veteran CISOs can sometimes feel they're stranded on a desert island for several reasons.

They may be new to the role and acclimating to the responsibility and, of course, the accountability they are now shouldering. Others may find themselves having to rapidly garner knowledge and perspective when a situation about which they lack familiarity lands on their plate. This is where mentors and mentorship can be invaluable. So, I set out to determine what that looks like today and how accessible CISOs are to one another.

There's been a sea change for CISOs

The thought process was driven by the conviction of Joe Sullivan in late 2022, which caused a sea change for CISOs as personal liability moved front and center. In a recent interview with CSO Online, Sullivan commented: "Our goal as a community should be for security leaders to become more empowered, more resourced, and more championed under the leadership of their companies." Deb Radcliff, the author of the CSO Online feature, shared that "Sullivan wants to use his case to rally security leaders to work together and with lawmakers to clarify reporting rules and liability and to finally draft a national data breach and reporting law." That would mean advocating for more support and nurturing CISOs at the board level while promoting transparency between security and leadership.

My search for insight began at RSA 2023 and continued onward over the following months. At RSA, I encountered Armis CISO Curtis Simpson, who noted that CISOs must use every engagement with a peer as an opportunity to learn and build confidence. He continued that community events provide excellent means to share and acquire knowledge.

Engagement and education can help support leadership

During a follow-up discussion in June, Simpson shared a vignette that spoke to the efficacy of those with a depth of experience being willing to share the information via conferences and such. "Three years prior in the height of the COVID pandemic, I presented at a virtual event. Recently an individual who had attended called upon me to assist them with a substantive question," Simpson said. "This drove home the point that there are ways of impacting the community which are not immediately measurable."

Calls like this are the reward for sharing. Simpson encouraged anyone who is stuck or needs a new perspective to reach out and engage with those with more experience and, above all, don't be afraid to ask questions.

What goes around, comes around: answer the call

The next stop was with one of my own mentors, Raj Samani, chief scientist at Rapid7, who has provided me with insight for more than 17 years. His advice: "Seek trusted advisors ... ultimately the CISO must think strategically and not become mired in the tactical day-to-day decisions. Develop a risk ownership model for your enterprise and find people with integrity and who you can trust."

"We so often question the motives of others --I've been in this position," Samani says. He also observed that "not every call has to be a sales call -- engage, learn, and share. I have reached out to my mentors to help me discuss situations and strategy. When your colleague calls, answer the phone, and give advice. In the end, we are all trying to prevent the same set of risks from becoming reality."

Security can be an especially high-stakes and quickly evolving field, which makes a good community of mentorship incredibly valuable," says Gary Barlet, field CTO at Illumio. "There's no question that having mentors (and being a mentor yourself) is essential. To find mentors or mentees, CISOs and CIOs can turn to networking groups for security professionals, leadership within their organization, and friends of friends. I found that I needed different mentors at different points in my career, and sometimes, the best mentors come about organically."

Mentorship is an invaluable tool in cybersecurity

Barlet said he would like to see more mentorship between business and organizational leaders in the same peer group. "That’s how security leaders will be able to achieve the goals and build the resilience they're striving for. For security teams to be successful, the whole organization, and particularly leadership, needs to be brought in -- and this starts with mutual respect and a solid understanding of the function."

"Mentorship in the cybersecurity field is an invaluable tool in both an individual's and an organization's maturity. CISOs who have been through the wringer have considerable wisdom to share about everything from ransomware remediation to dealing with recalcitrant CFOs," shared Craig Burland, CISO of Inversion6.

He cautioned, however, that challenges exist in organizing mentorship, "The first is very human. Finding a good mentor is a very organic and personal process. Personalities have to click and career trajectories have to be complementary. The second issue is about secrecy. Many of the circumstances where a CISO needs guidance are highly confidential, fast-moving, and intense."

Peer-to-peer engagement is good for cybersecurity

I finished my mentorship survey of the industry with another individual to whom I have turned for advice in the past, Candid Wuest, vice president of cyber protection and research at Acronis. He pointed out the need for the CISO to embrace the increased management responsibility with CEO alignment, which in turn will "bring less resistance when driving security and aligning business needs"

Engagement and peer-to-peer mentoring at the seniormost levels increases "the visibility and awareness of the security status for the C-level and drives home the point that cybersecurity is no longer an IT topic, it lives in every department and every decision," Wuest says.

The advice and counsel contained in a recent Harvard Business Review piece on mentorship highlight the need for "bridge mentorship," when social capital unites a diverse set of individuals "to encourage collaboration, understanding and exchange of resources." Burland's observation about trust and confidentiality is but one more voice added to the cacophony that mentorship is a definite plus, yet one must ensure that the individual(s) providing mentorship are trustworthy and persons of integrity.

Put simply, mentorship builds a stronger community of CISOs.

Christopher Burgess
Contributing Writer

Christopher Burgess is a writer, speaker and commentator on security issues. He is a former senior security advisor to Cisco, and has also been a CEO/COO with various startups in the data and security spaces. He served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Cisco gave him a stetson and a bottle of single-barrel Jack upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit, Senior Online Safety.

More from this author