10 things CISOs wished they knew from the start

Becoming a first-time CISO can be overwhelming. From day one, these professionals, often external hires, must keep the organization secure while juggling a large set of challenges. On one hand, there’s the immediate pressure to defend against a growing array of cyber threats. On the other, there’s the need to navigate organizational dynamics, win over grumpy executives, and prioritize security measures without breaking the business.

“A successful CISO is a well-rounded leader, excelling and balancing all cybersecurity domains and understanding the complexities of the company and its major stakeholders,” says Mike Britton, CISO at Abnormal Security.

But that’s easier said than done. Every CISO has their fair share of regrets and a list of things they wish they had approached differently, from doing the boring work properly to building relations or learning to manage frustration more effectively. By sharing these experiences, they offer a valuable roadmap for newcomers, helping them avoid lessons learned the hard way.

Tech alone won’t cut it

Knowing your way around tech is necessary, but not sufficient. “You’re in charge of securing the business’s information, not just hardening servers and patching laptops,” says Nate Lee, CISO and principal at Cloudsec.ai.

CISOs should adopt a holistic view that includes people and processes, because the role of technology is to augment everything, says Dimitri Chichlo, CSO at BforeAI. “A superior process associated with weak technology is more effective than a weak process associated with superior technology,” he adds.

Improvise. Adapt. Overcome.

As professional boxer Mike Tyson put it, “Everybody has a plan until you’re punched in the mouth.” This quote applies to CISOs as well. “I realized on day one that most of what I envisioned needed to be thrown out of the window,” Britton says. “Instead, I needed to quickly assess what was critical and needed immediate attention, and prioritized those initiatives over long-term, transformative projects. As an external hire, you have to be prepared to adapt your initial plans.”

Adaptability touches on every aspect of the job, including dodging office politics and creating relationships. “While it can be daunting to build credibility, it is also an opportunity to prove your adaptability,” Britton adds.

When it comes to the ability to adapt, John Terrill, CISO at Phosphorus, has straightforward advice: “Get comfortable being uncomfortable.”

When an incident happens — and it will — CISOs will feel uncomfortable. “You can’t dwell on that. You don’t have a time machine and won’t be able to go back in time. Focus on the things you can control.”

Brace for chaos, but set reasonable expectations

Granted, no amount of personal effort is going to stop incidents from happening, first-time CISOs shouldn’t feel like they’re defending the company alone. “You’re not Atlas with the world on your shoulders,” says Terrill. “Good programs come from strong processes, muscle memory, and doing difficult work.”

That said, CISOs should try to avoid burning themselves out and setting unreasonable expectations. “No one is going to keep advanced threats at bay by missing a good night’s sleep,” Terrill adds.

To make sure you’re spending your evenings at home, “instead of focusing on protection only, dedicate significant efforts and budget for response and recovery — backup and restore capabilities,” Chichlo says.

Do the boring stuff

Cybersecurity isn’t just about guarding corporate gates. It’s also about keeping all your ducks in a row with lifecycle management, change strategies, and ensuring the IT infrastructure stays solid.

The backup and restore capabilities should be tested periodically to make ransomware less of a concern, and all the other basics should be covered. “Having an incident response plan based on activities like threat modelling and tabletop exercises is the minimum every CISO should have in place,” Chichlo says.

Failing to optimize existing platforms is also commonly overlooked. “This one area leads to alert fatigue, as at the end of the day the security operations staff needs to be able to determine what is a false/positive alert versus a pending attack,” says Sue Bergamo, global CIO & CISO at BTE Partners.

As always, maintaining good hygiene and getting the basics right can go a long way. “Most of security is preventative maintenance that equates your role to running something more resembling a computer janitorial staff rather than advanced war fighters,” Terrill says.

Avoid oversharing technical details

While CISOs live and breathe cybersecurity, this is not true for their fellow C-suite colleagues. This is why every CISO needs to make sure they are communicating in a way that is easily understood. “If you speak technical jargon only, you lose your audience, and they will shift to other priorities,” Chichlo says.

A common issue with junior CISOs is they overshare technical details. “We make the mistake of thinking everyone is interested in knowing that we’ve deflected one-million attacks per month — but honestly, no one wants to hear this information,” Bergamo adds.

And Renee Guttmann, CISO emeritus and founder of CisoHive, agrees: “Don’t present numbers without understanding their relevance. […] figure out how to make sense of the numbers.”

When an incident happens, CISOs should highlight the fact that “the company has not been subjected to a material breach, [that] revenue and brand haven’t been tarnished, and that the technology in use is effective and that the staff is working hard on overall cyber defense,” Bergamo says.

Don’t overdo it

One of CISO’s main duties is to understand the business as a whole. This allows them to “take appropriate risks to achieve business objectives,” says Britton. If they enforce protocols that are secure yet too complex, “they will be seen as a blocker, or worse yet, ineffective in performing their role,” he adds.

Chichlo recommends first-time CISOs understand that their primary clients are businesspeople, “those who earn money for your company. Every security measure is a potential constraint for them, and you must balance between security and usability,” he says. “Being too dogmatic is a credibility, security, and a potentially revenue killer.”

Terrill is on the same page: “If you start making it too difficult for people to get their jobs done, you may be more detrimental to the business than an outside attacker.”

Learn to prioritize

Often, CISOs have to work with limited resources, so Chichlo advises them to “learn how to manage frustrations. You will never get the full budget you need to secure your environment,” he says. “You will (alas) have to prioritize which risks you will address first to maximize the return on your security investments.”

Given that funds are limited, they should be used wisely. “Most of the time, especially with cyber security products, the solution doesn’t make a problem go away, it creates new problems to solve and more work to do,” Terrill says. “If you can write a check and truly make a problem go away, that’s the cheapest problem you have.”

Educate and engage

In many companies, employees have limited security knowledge. “The general awareness of your colleagues regarding cybersecurity risks, whatever their position, is usually basic and often naive,” Chichlo says. This can be changed, though, through effective training done in every department, including IT. “There is a huge effort on education to be made,” he adds.

In addition to education, a collaborative environment should be fostered. CISOs should aim for partnerships, rather than point fingers, as they are there to help, not to denounce mistakes.

“Put as much cybersecurity responsibility as possible on your IT colleagues,” Chichlo says. “Security should be by default and by design. Those who operate should be the ones who secure from the inception.”

Training and on-the-spot advice have to come from a good place and should include empathy. “Don’t fall into the trap of always needing to be the bad guy,” Guttmann adds. “Don’t let other teams make you the bad or fall guy.”

How about bringing cupcakes to work?

It’s a fact: CISOs aren’t exactly the most well-liked people in the office. They sometimes enforce draconic security measures, which makes everyone’s life a tad difficult. “We’re often the bearer of hard truths and bad news, and the controls we implement are frequently perceived as a source of friction,” Lee says.

Bringing cupcakes to work every Friday may not be feasible, but connecting with other teams and building meaningful relationships will go a long way. The objective here is to be perceived as a trusted partner rather than an enemy. Or, as Guttmann puts it: “It’s about influence, not power. The biggest mistake is thinking that sticks work better than carrots.”

This is why being proactive and building relationships with colleagues go a long way. “Understand their needs and challenges on a personal level, rather than just engaging when you need something from them,” Britton says. “This foundation of trust will prove invaluable when you need support or encounter resistance.”

The best approach to communicating potentially unpleasant security decisions is to bring all stakeholders to the table early on and make sure they understand the reasons behind said decisions. “People are much more accepting of change when they understand the reason why and feel like they’ve had a voice in the decision, even if they’d like a different outcome,” Lee says. “Achieving the title of CISO itself lends no inherent authority. It’s up to you to wield it wisely to build the respect and connections that enable you to really move the needle forward on security.”

Put your family first

While our job often defines us, we should remember that there’s more to life than that. Guttmann regrets missing one of her daughter’s Halloween parades because her boss called her while driving home, and she had to talk to him at length. She missed the event. “A friend of mine took a picture of [my daughter] for me and she was tearful,” Guttmann says. “I kept that picture in my office.”

When any member of her team asked her for time off for a doctor’s visit, a soccer game, or a school appointment, she simply turned around, took the picture of her daughter crying, and held it up for that colleague to see — a gentle reminder that work could wait.