Embrace the challenges of cybersecurity leadership
For many of us in the security industry, it's the pinnacle of our career. You've worked in the trenches. You've worked your way up, taking on bigger projects and teams. You've built your network. You've gone to events and dinners. And now, you finally got that call, to be a CISO at an organization.
It's an immense responsibility for anyone. And you begin to wonder whether you are up to the task. Can you rally your people around you to tackle big problems? Can you be agile enough to respond to an incident (or many) while keeping an eye on your true north for the organization? Can you balance the needs of the business, versus the risks they face? These are all thoughts that will cycle through your mind as you go through the fine print of the offer.
However, there is basic preparation that one can do before taking on this challenging yet rewarding position.
Do your homework
It probably goes without saying, but hopefully you've done your research on the company. Before diving into security strategies, CISOs need to invest time in understanding the organization's culture, strategic roadmaps, operational dynamics, industry, and so forth.
Conducting this thorough company research begins with understanding internal documentation. Scrutinize strategic planning documents, annual reports, board presentations, and internal communication archives. These resources should provide insights into the organization's risk appetite, technological maturity, and strategic objectives. All the things that will help you formulate your defensive strategy and understand where the organization is going. Pay close attention to past technology investments, previous security approaches, and the organization's historical response to technological and risk challenges. This will inform your future strategies as well as give you an indication as to how the organization responds in certain situations. If there is a freeing of budget post breach, but not much budget to build security in. You (and the organization) may have a problem. This contextual understanding positions you as a new security leader as well as a strategic partner aligned with the company's broader vision.
Culture. Every organization will tell you that culture matters. And they're right. But is the culture the right one for you? Understanding organizational culture requires a subtle and observant approach. Beyond formal hierarchies, you'll need to develop a keen sense of the unwritten rules, the communication patterns, and the interpersonal dynamics. In other words, understand the politics. Observe how employees interact, the informal communication channels, and the protocols that govern workplace interactions. Are decisions made collaboratively or through top-down directives? What are the preferred communication methods: email, instant message, walkbys, or the in-person meetings? Understanding these nuances helps you adapt your leadership style, communicate more effectively, and build trust across different departments. This will come in handy during a crisis.
Along those lines, understand the work hours and professional expectations across organizations. Some companies prioritize flexibility and outcome-based performance, while others maintain strict schedules and traditional work structures. Observing and understanding these norms or rules will help you set realistic expectations for your own team and minimize potential friction points.
What does your team look like (or will look like)
You never know what you are walking into when you inherit a team. Was there a previous CISO? What was their relationship like with the staff? Is there any PTSD from the previous one? Perhaps the previous CISO was well liked by the team and the organization, and you now have very difficult shoes to fill. Alternatively, you might get "lucky" and be able to build your team from scratch, but there is often a long lead time on that. You may spend months just getting funding and headcount filled, only to have the budgeting season start up again where you now need to justify your unfilled roles.
However, assuming you are inheriting an existing organization, you will likely begin with an assessment of the existing security team's capabilities, challenges, and potential. This evaluation should be more than a superficial review. You'll need to fully examine the Information Security team, the Security Operations Center (SOC), and Governance, Risk, and Compliance (GRC) teams to understand their operational dynamics, strategic alignment, and organizational impact. You may have more technical teams that build and maintain complex IT hardware and software that the organization depends on. Depending on the size and maturity of the organization, you may have physical security, threat intelligence, disaster recovery, executive protection, identity and access management, and more.
A thorough team assessment involves an analysis of each security team's performance, capabilities, and strategic positioning. Evaluate the technical proficiencies, skill gaps, and individual team members' strengths and potential areas for development. Who are the heavy hitters and the go-tos. Who are the challenging employees? Examine how effectively these teams collaborate, their current toolsets, and their ability to respond to emerging security challenges. You don't want to find this out as you're dealing with your first crisis. Consider their current resource allocation, budget utilization, and alignment with broader organizational objectives. This review helps identify immediate opportunities for optimization, potential training needs, and strategic realignment of security resources.
It's also extremely important to understand the history of the CISO role in the past. As mentioned, if the position was previously occupied, understand what that person's role and relationship looked like with the team, their peers, and the senior leadership of the organization. Engage with key stakeholders to uncover past challenges, unresolved issues, and institutional memories that might impact your leadership transition. Were there specific security incidents, strategic misalignments, or interpersonal dynamics that led to leadership changes? You'll want to avoid those same steps. By understanding this history, you can proactively address potential concerns, rebuild trust, and chart a security strategy that is likely to be successful.
To be clear, this is not a paper exercise. Gathering this information will require engaging directly with team members, conducting informal assessments, and creating an environment of open dialogue. In other words: shake hands, get coffee, have conversations, and make connections. Look for signs of team morale, existing communication patterns, and the team's perception of their role within the broader organizational structure. And, perhaps even more importantly, where they need your help. This approach allows you to identify not just technical capabilities, but also cultural strengths and potential areas of organizational friction that may impact security effectiveness.
The buddy system
It doesn't matter how high you climb, you still need mentors and trusted partners. Even at the CISO level (and above), it's not uncommon to have mentors and people you trust that are free to tell you the truth. Ideally, mentorship for a CISO would provide a strategic catalyst for personal growth and avoidance of missteps for the organizational challenges that are sure to come. In cybersecurity, where challenges are aplenty, a trusted mentor becomes an invaluable compass, helping to guide the CISO.
It's more than just advice. A seasoned mentor brings an experiential knowledge that can help CISOs. These relationships provide a safe space for vulnerability, allowing emerging security leaders to discuss sensitive challenges, explore innovative strategies, and receive unfiltered, expert feedback. By sharing real-world experiences, mentors help mentees develop not just technical skills, but the critical soft skills essential for effective cybersecurity leadership such as strategic thinking, communication, stakeholder management, and organizational influence. One of the biggest benefits of this relationship is that they can often unlock doors to speaking opportunities, board positions, consulting roles, and strategic partnerships that might otherwise remain invisible.
Mentorship opportunities can be found anywhere, and don't have to be formal. Associations like ISACA and ISC2, industry conferences such as Black Hat, RSA, and SecureWorld, online platforms including LinkedIn and specialized cybersecurity forums, internal corporate mentorship programs, educational alumni networks, and consulting services all offer opportunities to network and find that trusted voice. Engaging with these channels can cultivate relationships with other professionals who can offer guidance, help expand the CISO's professional networks, and provide insights into navigating cybersecurity leadership. Remember, though, the most effective mentorships are built on genuine connections, shared professional values, and a mutual commitment to continuous development. People can spot a fake and know when they're being sold something that is disingenuous.
If you enjoyed this, stay tuned! I have a lot more to say on the topic of starting your CISO role, including what the steps are for setting a vision and goals up next.
This article originally appeared on LinkedIn here.
