Walk a mile in a CISO's shoes

May 04, 2023

I saw this article over on Good Morning America about a town in New Jersey that was tired of parents yelling at the umpires during their kids’ Little League games, so they came up with a unique solution….

If a parent or another spectator fights with an umpire, they have to volunteer to officiate themselves for at least three upcoming games.

I was thinking about the role of the CISO, how this story relates and around the same time was reading another article about the recent conviction of the Uber CISO. I’ve been watching the case, and I definitely don’t share the same angst as those in the community over the guilty verdict. This is not to say though that he didn’t have some tough choices to make, just that they would certainly not have been the choices I would have made if in the same situation.

Having been a CISO with three companies across multiple industries, I can say with experience that it’s a tough gig, with complicated decision-making, in order to protect company data and systems in today’s threat environment. But it’s something that most of us go into knowing the level of effort that it takes to do the job right and it’s a life choice, or dare I say, a calling that we’ve taken on.

Many outside the Information Security community may not have visibility into all the things that Security Professionals have to be responsible for, think about, and implement every day. Below is an image (with the link to the original, as all props go straight to Rafeeq Rehman for his efforts in building this tremendously useful tool that I use for planning and execution) of a mindmap depicting a very comprehensive view of the various topics that must be considered throughout the year by security professionals in order to build a defense-in-depth posture that is risk-aligned with business goals.

It’s enough to make one dizzy, and apparently, enough to be pretty stressful to some CISOs, but I can say this has not generally been my experience, and as this article points out:

But for cybersecurity professionals, stress has always been a part of the job.

It’s there. It’s part of what we do and the good ones learn to manage it. What matters is how we handle it, channel it for good and harness the stress to deliver excellence during challenging times. I always say that I thrive on “positive stress”. For me that is operating in a fast-paced, constantly shifting and challenging environment that never gets dull, and offers few opportunities for my mind to just wander. It’s all in, all the time. Then, when opportunities present themselves, take the time to smell the roses and enjoy the team that you have built around you over a bourbon and/or a or cigar, sitting down to a meal together, going on a golf outing or whatever brings you together and allows you to circle the wagons.

It sure would be nice though if every once in a while, much like Deptford Township in New Jersey, we could make those barking from the sidelines (or even worse, just completely ignoring the threats) all walk in our shoes for a bit and give them the opportunity to make the calls that balance threats against risks against budgets and operational efficiencies. That I wouldn’t mind seeing at all.