CISO/CSO Roundup: Resolutions to Consider for 2016

I again recently had the pleasure of attending a gathering of CISOs, CSOs, and hand-selected security vendors, and (like last time), the executives and presenters who shared their experiences provided valuable insights into the challenges cyber security professionals are facing and the techniques and tools they are using to overcome these obstacles.

Today, I’d like to share with you five pieces of advice I jotted down in my handy-dandy notebook. If you are of the “new year, new you” persuasion, I dare say these items would be worthy additions to your list of 2016 resolutions.

1. Embrace creativity in the workplace

This, interestingly, was a directive I heard multiple executives mention in varying degrees and contexts. Essentially, the goal is to allow new ideas and new methods to be voiced and have the freedom to flourish within the workplace.

One speaker suggested that information security managers take a page from Hackathon Charlotte, an event billed as “one part party, one part work-your-butt-off overnight battle against the clock.” At this and events like it, hundreds of programmers, designers, and developers work in teams to try to solve a problem. Many leave work and go straight to Hackathon CLT, with no qualms about continuing to do the same activities they are often unhappy to do during the workday.

Why do they do what they do? Because they are passionate about their profession. Why are they happier at the hackathon? Because they are in control of the creative process.

Imagine what it might be like to tap into that passion and creativity, and put it to work for your organization. As one technology director noted, it could be as simple as allowing trusted employees to ask the questions they need to ask and giving them the opportunity to choose their own problem-solving paths. Your organization could find new and better ways to do things — and you could find yourself with fulfilled, energized employees on your hands.

2. Learn how to give constructive feedback

Again, this piece of advice was overheard in multiple sessions. All who discussed it stressed that giving constructive feedback is an acquired skill — and one that you must possess in order to be a truly effective leader.

Nicole Price of Reality-Based Leadership — who delivered an engaging and energizing keynote — noted that anyone can judge others, but she stressed that judgement only gets in the way of productivity. “Edit your stories to facts,” she advised, and redirect wasted time and negative energies by focusing on coaching and development of skills (yours and your team’s). People and circumstances will always get in the way if you let them, she said.

“Change the way you think about and react to the circumstances, and change the way you lead the people. And waste zero time negotiating non-negotiables,” Price said. “Circumstances aren’t the reasons you can’t succeed, they are the boundaries within which you must succeed.”  

Ultimately, the goal is to be purpose-driven and lead more effectively. As one CEO noted, “If your people truly understand what you want, they can usually deliver.”

3. Define ‘security’ for all your audiences

If you’re in information security or IT, your definition of ‘security’ is probably similar to that of other like-minded professionals. But have you stopped to consider that your definition might be wildly different from the definition used by other people in your organization?

It’s reasonable to expect most (if not all) employees to nod their heads in agreement to the statement, “Security is paramount!” But while you’re thinking about endpoint and network and data security, Kelly from accounting is thinking about financial security, and Tim from HR is thinking about employee security, and Aaron from legal is thinking about job security, and Yvonne from security is thinking about physical security.

That’s why it’s important for all of your audiences to truly understand what you mean when you talk about “improving security” within your organization. As one CSO advised, “You need to define security so that it satisfies 80% of the people 90% of the time.” Communicating that definition is key to working toward a common goal.

4. Make risk reduction your primary focus

In one session I attended, the presenter led with a statement that was also a challenge: “Security isn’t about buying tools, it’s about reducing risk.” Why was this a challenge? Because (as he noted) this goes a bit against the “defense in depth” strategy many CISOs and CSOs are encouraged to employ, with technology layered upon technology layered upon technology.

The VP urged attendees to really think about their goals and what they want to achieve before implementing a tool, and to examine whether the tools they want to use (and those they are using) will actually help them reduce risk within their organizations. He also stressed the importance of meaningful measurements, saying, “If you can’t measure it, you can’t control it — or improve it.”

Aligning security issues to business risk breeds a unified approach, which can be a powerful force. “It’s important to take a holistic look at your security program,” he said, “and have conversations with your Board about the right investments for the business.”

5. Don’t stop before you start

What the CSO who gave this advice meant was, essentially, don’t talk yourself out of doing something before you’ve even tried it. Let’s call this the Debbie Downer cousin to “analysis paralysis”; you become a naysayer because…well, just because.

This can apply to many things, but in this case the CSO was talking about security awareness and training initiatives. Though he acknowledged the need to focus on technology and technical safeguards, he also stressed the need to focus on people and culture — and he cautioned that minimizing the value of users and processes is detrimental to organizations.

“This is not an either-or proposition. We have invested and spent time on technology and so we know the things that work,” he said. “Until we make a similar investment in education and training, we cannot complain that they don’t work.”

At the root of this particular point — and relevant to the discussion as a whole — is a fairly simple idea: Don’t be afraid to try new things. And isn’t that really the bedrock of the best resolutions anyway? To let go of the things that aren’t working with the hope of finding better options?

As retired U.S. Army General Eric Sinseki used to tell his commanders, “If you don’t like change, you’re going to like irrelevance even less.” Here’s to a 2016 filled with relevance, success, and budget-friendly Board meetings. Cheers.

Take a look back at the five cyber security resolutions we suggested for 2015 and see how many you’ve adopted in your organization. And if you’d like some help in developing and delivering a security awareness training program that will reduce your employee-driven risk in 2016 and beyond, visit our website.