Hacking It as a CISO: Advice for Security Leadership

Hacking It as a CISO: Advice for Security Leadership
A security leader shares tips for adopting a CISO mindset, creating risk management strategies, and "selling infosec" to IT and executives.

Modern security leaders find themselves at the crossroads between business and technology, selling the importance of security to all levels of an organization while helping them maintain efficiency, create a risk management strategy, and prepare for the inevitability of a cyberattack.


This idea of "selling information security" is the area where security leaders struggle most, said Peter Keenan, CISO of a financial services company, in a DEF CON talk. As security practitioners transition from roles as technical analysts or engineers into leadership positions, they learn the challenge of driving security through a business without control over employees' performance.


Information security at its core is "influence without authority," he said, and it's more involved than convincing executives to invest in new technologies. Security leadership may feel like a lot of top-down selling, convincing the board and CEO that you're doing well, but leadership also means conveying the importance of security to people across all levels of the business.


"If you actually want to fix security at an organization, you have to sell it from the bottom up," Keenan said. "It's the people on the ground, the people at eye level who are actually doing the things that will make you more or less secure, and you have to convince them that this is the right thing to do, and these are the changes they need to make in their processes to be better."


This requires a different strategy depending on who the CISO is talking to. Consider IT: You may think tech folks all have a similar mindset, he said, but selling security to IT can be a challenge.


< ..

Support the originator by clicking the read the rest link below.