12 security career-killers for CISOs
- 10 March, 2021 06:00
The stories are out there: the smart co-workers who get in their own way instead of getting ahead.
CISOs know them, too. One remembers a brilliant employee who liked to remind others how smart she was and how she deserved way more money than she was making. Another recalls a talented staffer who did exactly what was required, but nothing more. Neither made it very far, as their bosses finally had enough of their drag on morale and decided to let them go.
Those are just two of the many ways to kill your career, say CISOs, career coaches and executive consultants. Some actions, such as illegally accessing computer systems, are obviously fireable offences, while numerous others will simply halt any upward mobility.
Skipping over the outright unethical and illegal behaviours (which professionals should already know not to do), here are 12 common traits that security leaders say will keep you from advancing your cybersecurity career – and how you can avoid such a fate:
Believing security is the end goal
“The biggest problem I’ve seen is security people who think security is the be-all and end-all. They go in with that attitude, and they don’t see how they have to enable the business,” says James Carder, CSO of the security tech company LogRhythm. He says they instead need to collaborate with their business-unit colleagues to understand their objectives and then be an enabler, not a hinderance.
Others agree. “Security is a profession that has plenty of standards and regulations and frameworks, but too many times we try to implement them in a blind way, from the perspective of the standards instead of trying to implement them in the context of the business,” adds Russ Kirby, CISO of software company ForgeRock.
Similarly, Kirby has seen security pros become so focused on their own objectives that they alienate other departments that may otherwise want to work together to find a solution. He points to one scenario, where security staffers wanted to change an application’s minimum password length from eight characters to upwards of 20.
The IT application team pushed back, explaining that they could go to 12 characters but anything more would take significant time and money to change. The security folks dug in, refusing to back down from their demand and generating bad karma and a reputation for being unreasonable in the process.
“If the security people had had a better relationship or were better at listening, they could have understood the problem, come to a middle ground and understood the roadmap for the app would have allowed for passwords to be any length within a year,” Kirby says. “But the immovable, draconian attitude they took meant that [the security workers] were to be avoided, and they missed out on opportunities that otherwise would have been presented to them in their roles.”
Acting like the smartest one in the room
There’s no question that the security fields attracts many brilliant minds. But no one should believe they’re the only ones who are smart— and they certainly shouldn’t act that way.
Yet Lisë Stewart, principal-in-charge of the Centre for Individual and Organisational Performance at the professional services firm EisnerAmper, says it’s a common problem. She coached one young employee who executives believed had potential but whose arrogance held him back.
“He’d do a big heavy sigh when people didn’t understand what he was talking about. He was very quick to criticise, and he always had a negative word to say about others, so even though his technical skills were good, he came across as someone who couldn’t be trusted,” Stewart says, adding that people requested to work with others who “didn’t make them feel stupid.”
Stewart notes that smarts—even true brilliance—only gets you so far. “Many people believe it’s their technical skills that will take them places. That’s simply not true. That only happens in a few cases. Steve Jobs might have gotten away with it, but he was the exception.”
Being too timid
On the other hand, Katie Cassarly, associate director of career services at Carnegie Mellon University’s Heinz College, says she sees some security workers—particularly new ones—lack the confidence they need to move up the ranks. “They think that they’re not good enough, that they’re not talented enough,” she says, adding that workers in this class might not volunteer for high-profile projects or apply for promotions as a result of their self-doubt.
“They might not know how to speak up or disagree with a boss or colleague, even though they could shed light that could solve a problem or mitigate risk,” she says. Time and experience can help them gain confidence, but some might do better by seeking out a mentor or coach who can guide and encourage.
Losing your cool
Most work environments these days come with a lot of pressure, with security teams often under the added stress that comes from being a constant target of cybersecurity threats. Everyone feels it, Stewart says. But no one’s helped by the colleague who goes off the deep end from frustration.
“Someone who yells and screams and exacerbates the problem by doing so tends to damage their own reputation and their own career,” she says, adding that co-workers will recognise it for the emotional immaturity it is.
Moreover, she says, colleagues will want to avoid team members with such alienating behaviour, leaving them out of the loop on key projects that could help them get ahead. “You really need to have the ability to control your emotions,” she adds. “A higher level of emotion is absolutely acceptable when you’re celebrating, but it’s unacceptable when you’re dealing with problems.”
James Stanger, chief technology evangelist at CompTIA, a training and certification trade association, remembers spilling into technical talk during one of his first presentations to a board of directors and then seeing their eyes glaze over. It’s a typical rookie mistake, and one he quickly recovered from by switching back to more relatable business language. Many, however, don’t know or try to make that switch from tech talk to business speak, Stanger says, which keeps them out of board rooms, the C-suite, and even management.
“People will ignore what you say when you’re only speaking technical. Your career doesn’t advance and then you have to deal with the downstream issues that you’re causing because no one is listening to you,” Stanger says.
Sticking to yourself
Professionals in every discipline advance in part by helping others do their jobs, becoming trusted partners to their colleagues, and building relationships throughout their organisations. Some people find networking easy, while some roles require the kind of collaborating that helps forge those workplace bonds.
However, the security function at many organisations doesn’t frequently fall into either of those categories even though building relationships is no less important for both successful security programs and individual career advancement, says Kimberly Roush, founder of All-Star Executive Coaching.
As a result, security workers must create more of their own opportunities. She suggests you let colleagues know you’re interested in connecting: Reach out and ask questions, acknowledge others’ successes, set up meetings to learn from others. “You should absolutely be doing those things if you want to have influence beyond your own [department],” Roush says.
Failing to build other skills
Security pros value their technical skills and certifications, and rightly so, but they need to understand how those fit into their organisation’s overall tech stack, its objectives, its understanding of security threats, and its tolerance for risk.
Moreover, security professionals need to lean on that understanding as they progress up the ranks in order to succeed at that higher level. However, many fail to develop that broader portfolio of business, management, and leadership skills.
“Security professionals too often fall into the trap of focusing too much on technical skills and not enough on soft skills such as writing and presenting. Cyber security is about communicating solutions to problems, communicating threats and risks, and mitigations to those threats and risks. What good are technical feats if you cannot communicate their results or value to the right stakeholders whether they are clients or leadership?” says Will Mendez, managing director of operations at the consulting firm CyZen.
Carder sometimes comes across security workers who have been in the same position for lengthy stretches. Tenure isn’t necessarily bad, but Carder says it does raise questions on whether they’ve hit a ceiling.
“I look at their career growth, and I know if they’ve stayed at a certain level for a long time, there may be a reason. It’s a red flag,” he says. Carder says he looks to promote workers who take on new assignments, learn new skills and broaden their knowledge. “I look for security professionals who see that there’s room to grow,” he adds.
Staying in security
Jenai Marinkovic, a virtual CTO and CISO with Tiro Security and cybersecurity expert with the ISACA, a professional association focused on IT governance, once got a blunt message from a mentor: She told her she couldn’t understand the business perspective so she couldn’t effectively communicate and collaborate with the business-side teams.
The mentor suggested that Marinkovic get some experience outside of security to help her expand her horizons. So Marinkovic took a series of CTO jobs with startups, where she learned to be a more effective business leader; she ultimately spent three years in roles outside of security. “I wouldn’t be where I am today had I not done it,” she says.
Mistaking vulnerabilities for risks
Many security professionals consider their team’s priorities and objectives in terms of cybersecurity threats, identifying vulnerabilities that must be addressed instead of viewing them with a more nuanced, business-driven lens focused on risk, says Lisa Core, senior director, security, for enablement and compliance at the software company Zendesk.
She speaks from experience, having once faulted business-side colleagues who were approving changes via emails instead of through a preferred ticketing solution. She was set straight by her boss, who reminded her that the real risk was not getting approval versus the process through which it happens.
“A lot of security professionals tend to be very black and white: Here’s the vulnerability, here’s how someone can exploit this, here’s why we need to fix it now. They’re not able to see past the back and white. They can’t see whether the vulnerability is also a risk. So they need to think about vulnerabilities more broadly. They need to learn to live with risk, to understand that it’s not all or nothing,” Core adds.
Being tactical, but not strategic
Marinkovic says most security people she knows are more likely to be tactical thinkers, working through linear plans to address issues and needs. “We put together tactical plans that we call strategic plans,” she says, explaining that that approach can fail both the long-term needs of the organisation as well as stymie professional career growth.
CEOs and boards want security leaders who can work with them to devise a future vision as well as understand how security enables that vision, where it can actually help shape it, and where it could even become a differentiator. Security professionals who can think along those lines instead of presenting a 12-month schedule of security plans are the ones who get promoted.