Top Tips from CISOs

Written by

Read more from CISOs: 

CISOs play a pivotal role in protecting their organizations from the ever-growing threat of cyber-attacks. With a wealth of experience and expertise, CISOs have invaluable insights to share with the broader cybersecurity community.

Infosecurity has compiled some of the top tips and pieces of advice from CISOs and cybersecurity practitioners we have spoken to throughout 2023.

Pick Up the Keyboard

Fredrick “Flee” Lee, CISO, Reddit

“Pick up the keyboard! I see too many CISOs that don’t practice security day-to-day. If you are going to do this job, then you need to get into the weeds and have hands-on experience.

Otherwise, it is difficult to have empathy for your team and to effectively communicate what needs to be done and why.”

“Pick up the keyboard!”Fredrick “Flee” Lee, CISO, Reddit

Prepare for More Board Conversations

Tim Brown, CISO, SolarWinds

“One of the things CISOs need to do is be ready for their job because sometimes things change instantly. Take our incident – on December 11, 2020, my job was very different to December 12, 2020. After December 12 I had to be external, I had to be able to speak to people, be out there in the world to promote our response and how we were managing the incident.

If you’re a CISO, start getting speaker training, understand incident response from a global perspective, and prepare for more board conversations.

We still have a number of CISOs that sit in backrooms, and work with data and operations. This is extremely important but it’s also important as a CISO to grow your skills and be able to take on some of the other challenges that you have from the business perspective as well as from the incident potential perspective.”

Learn About Business 

Jon France, CISO, ISC2

“I tell my team a lot that if they really want to progress to senior levels and become a CISO, learn about business.

I was fortunate in my career in two respects. One is I was curious and like learning. Secondly, I was given exposure to business through running non-technical functions and asked for and received good mentoring.

My grounding is in technology and security, but I had that curiosity to learn from others – such as spending time with other teams.”

Take a Sabbatical 

Marene Allison, Former Global CISO, Johnson & Johnson

“I think this is because I have retired from a CISO role. It is a tough job. There's a lot of pressure on it. Many folks don't take the vacations they need, they don't take a break between jobs or in their companies.

Often, we are not prepared to say, hey, you can take a sabbatical. I think that CISOs really need to do that. That would be the advice I give. And I'm not sure if I was still to CISO I’d take the advice, but I give it.”

Spend More Time Pinning Down Risks

Josh Lemos, CISO, GitLab

“It's difficult to focus on the problems that matter because we focus so heavily on control-based frameworks.

We don't make risk-based but budget-based decisions.

So, I'd say CISOs should spend more time pinning down where our risks and our stakeholders' risks really lie, and for most of us nowadays, it's probably going to be in our identity and access management, as un-sexy as that might be.”

Continue Learning

Ollie Whitehouse, CTO, National Cyber Security Centre (NCSC)

“Never be afraid and always continue learning. After 27 years in cybersecurity, I’ve never stopped learning. I still do three hours a week of training, every Friday afternoon. It’s essential to keep yourself sharp and on the game.

When you commit to lifelong learning in cyber, you have a greater impact.”

Leverage the Community

Heather Lowrie, CISO, University of Manchester 

"Keep doing what you’re doing. It’s a difficult job, it’s not for everyone and it takes a lot of determination and a strong sense of personal integrity to succeed in this role. Everyone who is in the role has proven their skills and competence.

Leverage the community as well – there’s a strong community that we’re all part of and that is broader than the organizations we work in. Having that support network in this kind of role is really important."

Support the Business Goals 

Tal Arad, CTO and former CISO, Carlsberg

“Understand the business you’re working in and make sure you’re supporting the business goals rather than stopping the business from what it needs to do.”

What’s hot on Infosecurity Magazine?