Protect Yourself: Safeguarding Your Career as a Cybersecurity Leader
February 27, 2023
From the impending SEC ruling on cybersecurity risk management and incident disclosure by public companies to the latest cybersecurity breach or crisis du jour, security leaders are under pressure now more than ever. To help new and experienced CISOs protect their careers from not only the constant stresses but also the potential repercussions inherent in their role, the Blue Lava Community gathered together experts — including cybersecurity practitioners and legal and reputation management consultants — to unpack best practices in all phases of your career development, from the interview process to creating and managing a program to gracefully moving on from an organization while keeping your reputation intact.
This blog will outline steps and provide resources you can take throughout your career to:
- Educate the interviewer
- Protect yourself
- Protect the company
- Plan for your long-term success
Educate the Interviewer
Mastering the interview process is essential to taking advantage of opportunities to further your career.
Canned answers to common questions won’t get you very far.
Use the interview process as an opportunity to educate the interviewer by asking insightful questions about their current security process. Demonstrate your value while you work to understand if this is the right next opportunity for you. Doing this will give you a competitive advantage and show the hiring team that you know your stuff and have excellent leadership skills. You’ll also have the chance to spot any cultural or organizational red flags that can signal this isn’t the company for you.
Vet the company you’re applying to as much or more than they’re vetting you.
Working for the wrong organization can be dismal, whether because of misaligned leadership values, a lack of challenging projects, or a lack of necessary resources to hit your goals. Worse, working with the wrong organization can irreparably damage your career.
Raise awareness of their “shadow IT department.”
One of the most effective tactics you can use during the interview process is to raise their awareness of their “shadow IT department.” In organizations of all sizes, shadow IT is a significant security risk that often goes unnoticed. Walking the hiring team through the process of discovering and remediating shadow IT activities demonstrates your value from the start and helps them realize they need your contributions. Additionally, their answers will tell you a lot about whether you want to work for them or not.
It’s not “if” but “when”
With the rapid acceleration of cyber threats, you should assume you’ll eventually be the target of one, no matter how carefully you plan. That assumption should be accounted for and incorporated into your long-term success plan. Unfortunately, most CISOs will experience a cybersecurity breach at some point in their careers. While some levels of recrimination, blame, and accusations are probably inevitable, the good news is that CISOs are rarely terminated due to a breach that occurred despite due diligence in preparation and response.
Proactively prepare your response to a breach.
Instead of being blamed for a breach, you’ll more likely be judged on your response to the breach. You can improve your worth to the company by proactively preparing for a breach, so you’re not left scrambling when one occurs. CISOs are constantly faced with a conflict between handling short-term, urgent issues, often brought about by unfilled tech positions, and maintaining a focus on long-term priorities. Finding a balance between the two is vital to reduce the risk to your company (and your career).
Protect the Company
It’s never too soon to start planning for a crisis.
When you start a new position, getting swept up in the day-to-day business operations can be easy, and a new CISO may not prioritize proactive measures. However, it’s essential to step back and address issues from the top down to protect your company from attack, not only to keep your job title but to maintain the trajectory of success that got you there and will get you to your next opportunity. Begin on day one, planning a mock executive crisis management scenario involving all stakeholders. Everyone needs to understand that a true threat doesn’t just affect the IT department but cascades down into every aspect of business operations.
Conduct a mock crisis scenario as soon as you come on board.
A mock crisis scenario drill is an excellent way to get a feel for the current state of the organization’s IT security and the attitudes and capabilities of the stakeholders and your department. Although everyone knows the importance of conducting drills, they are time and resource-intensive, so many companies procrastinate performing them. However, you should insist on scenario-based testing because it’s a high-impact method for engaging your response teams, including executive stakeholders. The results of scenario testing will let you know if everyone is prepared and understands their role in the event of an actual breach and aren’t just reiterating boilerplate responses from tabletop exercises.
Plan For Your Long-Term Success
Once you’ve nailed the interview, begin planning for your success and thinking ahead to CISO career protection. Take the time to negotiate your role and responsibilities carefully. Too often, hiring managers and HR departments don’t fully realize what’s involved with successfully protecting information assets and technologies. If you don’t explicitly hammer out your expectations for your department, you may find yourself trying to fill too many roles at once without a fully functional department. This is particularly true during today’s tight labor market, with an anticipated 85 million tech job shortfall by 2030.
Negotiate your employment contract
By negotiating your own contract this will also allow you to coach the hiring team in engaging in best practices for all employment contracts. Given that 2022 was the worst ever for malware attacks spread from employee to employee, HR’s involvement in cybersecurity is more important than ever. By placing a high value on key security tools in your own negotiation, you help set the standard for hiring practice going forward. Talk about whether employment contracts should include NDAs or confidentiality agreements. For C-suite positions, is D&O coverage or cyber liability insurance included? You can argue the importance of these items to your own role and to the company as a whole. Not only does this show your security savvy, but it also implies you’re concerned for your new company and implies loyalty.
Connect With a Professional Community + Resources
Being the CISO can be an isolating position. You’re responsible for one of the most important functions in any organization. Still, you’re often left without the resources and support you need, partly because of the lack of qualified talent and partly because few others truly understand what you do. By participating in birds of a feather security leader networks like the Blue Lava Community, you can connect with others who have been where you are. We provide an online community where you can gather, share, support, and mentor any time.
Access your copy of the 2022 (IANS + ARTICO) CISO Compensation Benchmark on the Blue Lava Community
Whether you’re just starting out or you’re a seasoned expert, you’ll get value from a support system of battle-tested security and business executives. We welcome you to sign up today to plan for your long-term career success.