CISO: Build relationships

In 2016 for a SANS Technology Institute project to insure we were positioning graduates for success, I ran a series of polls on Linkedin and also with the GIAC Advisory Board on the characteristics of a successful CISO. We then ranked those by ICF values, (Important, Critical, Frequent). The highest scoring value was building relationships. This post is a survey of my chosen tips from the top ten Google returns on the subject. My request, is that you would use the comment feature of either blogger or Linkedin to share your insights on what is most important, and or mention what you feel is missing. In return, I will attempt to distill the information into a condensed format that will be available for the community to use.

Distillation as of 10/29/16:
A successful CISO must work constantly to build relationships. A simple key to this is being the type of person other would want to have a relationship with. The basics are fairly obvious, good hygiene, dress for success, smile, be a good teammate. But there is another aspect; be genuine. There is no point asking "how was your weekend" or "how are the kids" if you don't care.  A simple measure of caring is when was the last time you wrote a thank you note. And you don't have to care, you can be a fine engineer, coder, or network analyst if you don't care about you co-workers, but you can't be a successful CISO.

Mindtools defines the characteristics of good work relationships as

• Trust 
• Mutual Respect
• Mindfulness 
• Welcoming Diversity 
• Open Communication 

Joel Garfinkle's 10 points:

•     Share more of yourself at meetings. 
•     Speak positively about the people you work with, especially to your boss. 
•     Be supportive of other people’s work. 
•     Ask others to become involved in your projects or activities. 
•     Write thank you notes. 
•     Initiate conversations by asking questions. 
•     Initiate repeated interactions and communications. 
•     Participate in activities with others that don’t involve work. 
•     Share information. 
•     Introduce yourself at social work events. 

Inc, has a blogpost with 9 points:

• 1. Take the hit.
• 2. Step in without being asked.
• 3. Answer the question that is not asked.
• 4. Know when to dial it back.
• 5. Prove they think of others.
• 6. Realize when they have acted poorly.
• 7. Give consistently, receive occasionally.
• 8. Value the message by always valuing the messenger.
• 9. Start small... and are happy to stay small.

I put this out on Linkedin and here are some of the comments:

Dr. Shawn P. MurrayEthics first, build solid relationships with all business units and work with the board to ensure information security is part of your culture and corporate governance.

Bill CarrI think every employed person needs to build relationships so that is a given, you earn trust through communications, competence and character. CISO should above all else be Courageous; they must hold the line even when it could mean they need to find another organization to work for that is genuinely committed to protecting its data, its customers, its brand, its shareholders and most importantly its brand (good name). The business nor anyone else should be able to tell the CISO how to protect the organization for on his/her head the sword of Damocles will fall if it goes bad.

Bill CarrTraits: Courage, Character, Passion, Ethical, Disciplined, Focused, Decisive, Reliable, Resourceful, Assertive, Critical Thinker, Analytical, Effective, Influencer, Listener, Learner, Knowledgeable, Experienced (Wisdom), Smart, Visionary, Logical and Organized.


Stephen Northcutt is Director for Academic Advising at SANS.EDU and chair for SANS Rocky Mountain 2017.