{"id":37680,"date":"2020-10-15T16:00:18","date_gmt":"2020-10-15T16:00:18","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=92089"},"modified":"2020-10-15T16:00:18","modified_gmt":"2020-10-15T16:00:18","slug":"ciso-stressbusters-7-tips-for-weathering-the-cybersecurity-storms","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/ciso-stressbusters-7-tips-for-weathering-the-cybersecurity-storms\/","title":{"rendered":"CISO Stressbusters: 7 tips for weathering the cybersecurity storms"},"content":{"rendered":"
<\/div>\n

An essential requirement of being a Chief Information Security Officer (CISO) is stakeholder management. In many organizations, security is still seen as a support function; meaning, any share of the budget you receive may be viewed jealously by other departments. Bringing change to an organization that\u2019s set in its ways can be a challenge (even when you\u2019ve been hired to do just that). But whether you\u2019ve been brought on to initiate digital transformation or to bring an organization into compliance, you\u2019ll need everyone to see that it\u2019s in their best interest to work together on the program.<\/p>\n

I sat down to discuss some CISO Stressbuster tips with my colleague Abbas Kudrati who has worked as a CISO in many different organizations for over 20 years before joining Microsoft. Here are several things we identified as important to weathering the cybersecurity storms and in Abbas\u2019s own words.<\/p>\n

Abbas Kudrati, a Chief Cybersecurity Advisor at Microsoft shares his advice for relieving stress in today\u2019s CISO Stressbuster post.<\/em><\/p>\n

1. Business engagement makes a difference<\/h2>\n

My passion is for building or fixing things. My reputation in those areas means that I am often engaged to work on a new project or implement changes to an existing system. I\u2019m a generalist CISO who works across industries, but in every role I\u2019ve undertaken I\u2019ve managed to get something unique done, and often received an award as well. My tasks have ranged from achieving better compliance to improving incident response plans or aligning with international standards such as CREST UK<\/a> or COBIT 5<\/a>.<\/p>\n

My focus is on implementing the changes that are needed to make a difference and then finding a good successor to take over maintaining and operating a large, complex environment. My typical tenure as a CISO was two to three years, but I know some CISOs, particularly in large, complex environments such as mining organizations, where they\u2019ve been in their role for six to eight years and running. They have a good rapport with their management; the CISO feels supported and they\u2019re able to support the business in return. Those two things\u2014engagement with management and reciprocal organizational support\u2014are essential to being a successful CISO.<\/p>\n

2. Know what you want to accomplish<\/h2>\n

It\u2019s often difficult to gauge the state of an organization until you\u2019re in it. Sometimes when you start a role you\u2019ll realize how bad it is and think, \u201cWhat have I gotten into?\u201d You don\u2019t want to mess up your CV by staying for only six months; so, you try to stick it out. But if the support and communication aren\u2019t there, it\u2019s not worth the stress of staying for more than two years. This is the common reason many CISO\u2019s leave.<\/p>\n

A different frustration can occur when you exceed targets. There have been instances when I\u2019ve been brought on board to deliver a targeted result within three years but managed to accomplish it within 18 months to 2 years. Then in the second stage, the company says it can afford to keep it running. That\u2019s not what I want. I want to make a difference and be planning around that; so, I can then choose to move on.<\/p>\n

3. Hire and build the right talent<\/h2>\n

The final challenge, particularly in the countries where I\u2019ve worked, is hiring the right talent<\/a>. In the Asia-Pacific region, there\u2019s a very competitive market for skilled individuals. In some situations, I\u2019ve looked to use my academic connections to hire fresh minds and build them up. Not only do I get the skills I need, but I\u2019m helping to support the development of our profession. This isn\u2019t easy to achieve, but I\u2019ve developed some of my most passionate employees this way.<\/p>\n

4. Find mentors and advisors<\/h2>\n

It can be lonely being a CISO. Not many people understand what you do, and you often won\u2019t get the internal support you need. It helps to find a mentor. I\u2019ve always sought out mentors in the role of CISO who are doing security in a more advanced way. Don\u2019t be limited just to finding this in your immediate location. Find the right mentor in any industry or region, and today that person can be anywhere in the world. In Australia, there are only a handful of people in organizations large enough to have a CISO at an executive level. Finding that international connection was invaluable to me.<\/p>\n

Vendors and partners also can be a good sounding board and source of advice<\/a>. I had a good relationship with the account team at Cisco and they introduced me to their CISO, who gave me a lot of valuable insights. This is something I\u2019ve carried into my role at Microsoft\u2014I provide our customers with the same kinds of insights and external viewpoint that I appreciated receiving in my earlier roles. Customers appreciate the insights you can provide, helping them to make tough decisions and evolve their strategy.<\/p>\n

5. Burnout is real and career progression can be a challenge<\/h2>\n

Being a CISO is not an easy job. You\u2019re on the frontline during security incidents; a routine 9-5 schedule<\/a> is almost impossible. In the Asia-Pacific region, there are also limitations on where you can go to develop your career. Some countries are not big enough to have sufficient mature organizations that need a CISO. For example, there is a limit on how many CISO roles will exist in Malaysia or Indonesia. Australia is slightly bigger. Singapore has even more opportunities, but it\u2019s still not on the same scale as countries in other parts of the world.<\/p>\n

CISO\u2019s often move on to be advisors, consultants, or even into early retirement. It\u2019s quite common to see CISO\u2019s retire and become non-executive directors on company boards, where their experience is invaluable. Being a virtual CISO allows you to share expertise and support, work on specific projects (such as hiring a team), share expertise, or educate an organization without being tied into permanent employment. When moving on, a CISO will often take a reduction in salary in exchange for a reduction in stress and regained family time.<\/p>\n

For me, the move to being Chief Security Advisor for the Asia-Pacific region at Microsoft was a logical and fulfilling step. I can pay forward to customers that support that I received from vendors as a CISO. My experience and expertise can help organizations better consider the changes required to undertake a successful digital transformation.<\/p>\n

6. Discipline and human connections are essential<\/h2>\n

There is so much disruption in a CISO\u2019s working life; it\u2019s important to focus on your physical and mental well-being as much as your work. Take regular breaks; go outdoors and get some fresh air. Take time for mental well-being with meditation or physical exercise. COVID-19 has underlined how important it is to connect with your family. Since a crisis may interrupt your holidays and weekends, don\u2019t count on those times to relax.<\/p>\n

Building your ally network both within the company and outside is essential to maintaining your sense of balance, perspective, and support. I really like the concept of allies that Microsoft fosters across different groups, backgrounds, and environments. We all need to be there to support each other. Now that the whole world is connected, we can be, too. Checking how people are and supporting them is core to managing our group stress, and has never been more important than during a pandemic. Take the time to connect.<\/p>\n

7. Truths to remember<\/h2>\n

This is a wake-up call for organizations that may be thinking of hiring a CISO, or just looking to fill a spot in an organizational chart\u2014having a warm body in that position is not enough. Business executive and leadership teams must provide adequate resources and give the CISO the ability to manage risk and help the business be successful. Keep these tips in mind when you\u2019re hiring:<\/p>\n