Security Boulevard Exclusive Series: What I Learned About Being a CISO After I Stopped Being a CISO
In this series we’re talking with former CISOs to collect the lessons they’ve learned about the job after they left—either to work as startup founders, consultants, or vendor executives. The goal is to take the wisdom they’ve gained from broader exposure to other security and business leaders, and deliver those lessons back to CISOs who are still in the hot seat. We hope the current crop of CISOs can take some insight from their former compatriots and use it to up their game while they’re still on the job. Read more about the series here.
Lessons from Jack Jones, Co-Founder and Chief Risk Scientist at RiskLens
Some of the hardest challenges that CISOs have in carrying out their responsibilities tend to involve the use of soft skills. Many security executives come up from a technical background. They’ve often got their certifications and systems knowledge licked, but they struggle with the leadership elements, the team-building and the politics of making it as an executive in the corporate world.
This is hurting CISOs as they try to establish greater credibility in the boardroom and across the lines of business. One survey earlier this year offered up a glimpse at the gap that exists. According to the study, when comparing employer’s requirements against CISO jobseeker’s credentials, employers list 36 percent more soft skills in job ads than CISO job seekers include in their resumé.
A longtime security professional, Jack Jones has witnessed the politics and people element of CISO interaction with the business from a number of angles. He’s worked as a CISO as a consultant and as a startup co-founder. In his career he’s had stints as CISO for a number of firms, including Nationwide Insurance, CBC Companies and Huntington Bank.
“I’ve had the benefit of going back and forth a couple of times between the dark side and the light side,” he said with a chuckle, of his moves between vendor roles and enterprise CISO roles.
Today, Jones is the chairman of the FAIR Institute, a non-profit organization dedicated to the discipline of measuring and managing risk, primarily through its Factor Analysis of Information Risk (FAIR) value at risk framework. He’s also co-founder and chief risk scientist for RiskLens, which builds commercial tools based on the FAIR framework.
As he explained, many of the things he wishes he’d known in his previous roles as CISO have nothing to do with technology and everything to do with politics, processes and mentality. Here are a few pieces of wisdom he’d like to pass on to today’s CISOs.
Build Coalitions to Succeed
One of the most important points that Jones said has become apparent to him since leaving the CISO role is that in a large organization, logic doesn’t always prevail. Even when armed with data.
“The decision-making processes and the way companies work is very often political, which is very often not logical, but emotional and sort of personal and subjective,” he said. “And so, if I had been better aware of that fact, I could have helped to overcome that or deal with the obstacles.”
One of the ways to overcome this is by building critical mass through strong relationships with others in the business. The more people who can advocate for your cause, the more easily you as CISO can get logical, data-driven arguments to prevail.
“You have to essentially establish partnerships and coalitions of executives who see the world through a more logical lens to help counterbalance those that tend to not see through such a logical lens,” he said. “It’s really about leveraging strength in numbers and finding who else with influence in the organization tends to see the world more logically rather than emotionally.”
Root Cause Analysis Makes Meaningful Changes
The security industry is an industry of Band-Aids, Jones lamented.
“I’m dead serious when I say that every organization I’ve walked into and every CISO I’ve ever spoken to plays Whack-a-Mole,” he said. “Whether it’s patching problems or access control or shadow IT, there are a litany of things I see organizations battle over and over again and never come to grips with.”
He believes a lot of this déjà vu comes down to the fact that CISOs aren’t tackling the hard task of root cause analysis.
“We aren’t taking the time to really understand the root causes that are driving the situations,” he saids. “And part of that is because we aren’t able to articulate the risk implications of these problems in terms the business understands, really getting to the economics of it. We aren’t able to get the business to really understand the importance of these issues.”
Avoid Dogma at All Costs
Finally, his other lesson “is essentially boiled down to ‘Dogma is the enemy of Progress,'” Jones said.
CISOs need to stop taking the “lemming approach” to risk management where they go along with best practices or technology that everyone else uses without examining whether they really work specifically for their organization’s business circumstances. He believes these security leaders need to question their assumptions on these fronts.
“When we just plod along without really applying critical thinking and really understanding problem space deeply, besides being wasteful, we aren’t able to really focus on the things that matter most,” Jones said. “We have a signal-to-noise ratio problem, where we can’t identify the things that matter most to us. So we get burned in the long run.”
Read more about the series here.