Life as a CISO? Who, me?!
So what is it like to be a CISO in October, 2020? What about on Tuesday, or any day that ends in “y?” Great question! I’m not sure I really remember what it’s like to *only* by the CISO anymore, but I can tell you what my days are like now, and how I got myself into this predicament. But first a bit of background to help you, the dear reader, contextualize what I just said, and what I’m about to share. You can skip to the end for the TL;DR version (summarized bullets for the impatient).
Some of us CISO-types are drawn to service — and it can sometimes feel like a tour of duty
Have you ever had the chance to come back to a CISO job you already had? I have, and I did. I was the senior security person for the University of South Carolina for about 9 years when I got the opportunity of a lifetime: to serve as my State’s CISO in February 2014. I went into the job with my eyes wide open, or so I thought, ready for a super stressful job with near impossible expectations but nevertheless determined to serve my state. Boy did I underestimate the situation. Suffice it to say that while there are many similarities to serving as the CISO for a large, multi-campus, multi-university system, one of the key differences that is hard to fully appreciate until you are in the role at the state-level is scale. However many universities or campuses you were responsible for within your system, you are now responsible for some order of magnitude more state agencies, with the “other duties as assigned” part of your job description taking on a whole new meaning. You think you had governance challenges before? Hah!
Many of us CISO-types are drawn to challenges — we want to be close to the “tip of the spear” or do “big things”
After serving as the State CISO for three years I was physically and emotionally exhausted and needed a change. So, what did I do next? The opposite of slowing down; I managed to land a job with another super-high expectation organization in the private sector you might have heard of: SANS. I spent about a year and half traveling across the country as the CISO-in-Residence helping clients and internal stakeholders think about and develop professional development programs for security staff, and working with graduate students enrolled in the SANS Technology Institute, a fully accredited degree and certificate-granting graduate school.
I learned more lessons than I can count in these two roles and am forever grateful for the opportunities. I describe the State CISO and private sector phase of my professional journey as “career CrossFit.” If you’ve ever done CrossFit, or seen others go through a CrossFit workout, you’ll understand what I mean when I explain that it’s incredibly difficult and intense, sometimes looks agonizing, and you constantly ask yourself why anyone would willingly do that to themselves. But if you can stick with it and manage to not permanently hurt yourself along the way, you will emerge far better prepared physically and mentally for whatever life throws at you next. Physical feats that seemed incredibly difficult or impossible before are now doable and no longer inspire fear or self-doubt.
This is what happened to me on my professional journey when I left UofSC back in 2014. Career CrossFit. Professional goals or aspirations that seemed impossible in 2013 were now on my list of accomplishments in 2018, and I had new experiences and perspectives to help me put previous challenges and stressors into a whole new context. But perhaps most importantly, my previous ideas about what was “hard,” “stressful,” “impossible,” or even “fast” and “intense” had changed dramatically. More specifically, my expectations for progress and what “good” looked like had changed. For the better, I think.
There and back again — A CISO’s tale
In the summer of 2018, my old CISO role at UofSC opened up again. Road weary and longing to be back home, I threw my hat into the ring and was fortunate enough to be offered the position. I decided to join the new CIO’s team because I shared his vision for change, and I was confident I could hit the ground running. I started my new old role as CISO of UofSC in September 2018. I met with my staff, many of whom I had hired years before, and we charted a course for our security program that would take us into the next few years. As staff turned over on my team, I was able to inject different perspective and expectations into our group, putting into practice one of the key lessons from Jim Collins’ excellent book, Good to Great. Specifically: helping the wrong people off the bus, getting the right people on the bus and making sure everyone is in the right seat. It is because of this very important management exercise that I can now start to explain what I do on a typical Tuesday in 2020.
Like everyone reading this, COVID-19 required changes and adaptations to whatever normal looked like before the pandemic. In my case, it meant stepping up to offer our CIO some help, whom I could see was increasingly and more intensely being pulled in too many different directions. Sometime in May he agreed to let me take some of the COVID-19 work off of his plate, and that has more or less consumed my life since. That work primarily involves meeting with various stakeholders across the university and trying to coordinate and deliver the technical aspects and components of our university’s dynamic and ever-adapting COVID-19 response.
Another non-security function I was able to take off my CIO’s plate was digital accessibility. Since I had very recently helped usher our university’s first digital accessibility policy through the policy approval process and knew how to build and manage enterprise-wide compliance programs, I agreed to take ownership of this function sometime in July. I immediately jumped into Digital Accessibility Committee meetings, helped guide and direct our external partners, and somehow managed to conduct interviews and hire our first ever Director of Digital Accessibility to lead and manage the day-to-day work.
To finish connecting the dots from where we started to this point in my story, earlier this month (October 2020) I agreed to take on the role of AVP and CISO. A simple way to describe what that means is that I spend less time doing what most people would recognize as CISO work and now spend more time doing “other duties as assigned.” Getting back to a very critical point that I only briefly touched on before, all of this is largely possible because I have a great security team. I have two great managers and leaders, Don Frank and Robert Wilson, essentially running the security team on a daily basis while I focus on non-security work. I am very fortunate in this regard and am regularly energized and re-connected with security work through them.
So what does a day, any day, in the life of a CISO look like in 2020? Whatever it needs to look like is my response. In my case, at my university, it looks like what I described above. And at least for right now, that looks about right.
In summary, below is what I spend most of my days doing as an AVP and CISO:
· Provide oversight for our university’s relatively new Digital Accessibility Program
· Regularly meet with my newest direct report, our Director of Digital Accessibility, who started in this role on 16Oct20
· Help coordinate technical aspects of our university’s COVID-19 response, which is dynamic, expanding in scope to serve our entire state, and ramping up in time for the holidays (“exodus” and “welcome back!” planning)
· Serve on the university’s Policy Advisory Committee, and lead IT-related policy and compliance work
· Engage in what I like to call “process janitor” work wherever I’m needed
· Help our CIO with other strategic projects, initiatives or work that requires a more “senior” or nuanced perspective
· Provide oversight for our university’s Information Security Program
· What that really means is I occasionally meet with the people actually doing security work on a full-time basis, my two security direct reports: our Deputy CISO for Governance, Risk and Compliance and our Director of Security Operations and Incident Response. Without these two people running our respective security teams, I couldn’t do the other work listed in the bullets above.
And these are a few of the key characteristics that I think many of us in large-environment CISO roles have in common:
· We are driven to serve — strong sense of duty; run towards the fire while others are running away
· We are drawn to challenges — we want to have a big impact and solve tough problems; are rarely satisfied for long
· We are life-long learners — insatiable curiosity and voracious readers; the more we learn the more we realize we don’t know
