CISO Life: the Good, the Bad, the Ugly

What type of things can go wrong with Senior Leadership, the Org, Legal, HR, etc.

by Dan K. Anderson

In today’s hectic Cyber world, the role of CISO continues to get more difficult, while at the same time diluted, diminished, taken for granted, and downright not fun at times.  It used to be that aspiring to the office of CISO meant that you had really accomplished something, but today many times, the CISO is a commodity.  Easily replaced, done without, sidelined, or all tother removed.  I’ve worked with a great many CISO’s, mentored them, provided guidance, nurtured them, cried with them, laughed with them, celebrated with them in their achievements.

I’ve been a CISO for a long time myself as an employee, as a contractor, as a vCISO, as the go-to CISO when there isn’t one.  I’ve seen a few things and learned a few things along the way that I want to talk about today.  This was a presentation that I gave at the CyberDefenseCon conference last year where I received an awesome honor as Top Global CISO of the Year 2023.  I wanted to get this word out there to a broader audience as it did generate a lot of interest amongst my peer winners and fostered some great discussion.

This article will cover Conflicts of Interests, Officers and Directors Insurance, Protections for CISOs, how to find and/or create allies at the top, how to deal with the need to blow the whistle and aspects of things I learned about the SEC Whistle Blower program, what it does or does not protect a CISO from.

The Good:

I’m grateful every day for what I have achieved, for the people I’ve worked with, My Partners and Associates, the customers, and patients I’ve helped, the Practitioners who I helped get the critical data they need in order to do their best work, and my Family.  I am thankful for the amazing Country I serve and the opportunities that came because of my Air Force service.

I’m well and truly blessed. ~Dan Anderson

Conflicts of Interest:  This is a topic that often comes up sort of after the fact when an employer might question your loyalty, what you spend time on, how well known you might be in the industry, etc.

The Good: Having a well-defined conflict of interest and reporting annually or more often as agreed by the parties is the optimal situation.  No surprises, No worries!

Being open, transparent, and communicative can help a lot, however it can be hard to account for the company’s motives if you find yourself in misalignment.  Suffice to say that if you have an already agreed upon conflict of interest, its current, and apprised at least yearly, it will be read and re-read multiple times by both parties when misalignment occurs.

Officers and Directors Insurance:

Normally this exists to protect the Officers and Directors of the Company, but it does beg a few questions:  Are you a registered Officer? How do you look in the org structure? Can you negotiate a coverage even if you are not considered an Officer or Director?

The Good: The best time to negotiate for O&D Insurance is in the beginning of the relationship.  Protect yourself so you can have less worry while protecting the Company.

CISO Protections:

1. Chief Legal and the legal team as a whole are there to protect the company, not you the CISO.
2. HR is not there to protect you the CISO, they are also there to protect the company.
3. Assuming you are acting within legal bounds, document, document, and more document.
4. Email and retention is a problem, PDF your relevant emails, save them strategically.
5. Your employment contract.

The Good: Understanding the roles and expected behavior of all the players and the rules according to Policy is key to your success.

The legal team of the company is there to protect the company.  If you need legal advice, the best move is to have an agreement where this is paid by you.  Rest assured, you do want to be able to choose your own, fund your own, and use it when or if needed without any conflicts related to the company.

Likewise, HR is also there to protect the company.  They might seem like they are on your side in certain matters but at the end of the day, their fiduciary duty is to the company not the individual.

Make sure to keep accurate documentation as if your life depends in it.  It may.  Email retention can be a problem as well, so make sure you have a sound plan to have comprehensive documentation that you maintain yourself.  Not always easy.

The employment contract can be tricky to navigate for CISO’s.  Take a close look at the severance construct if there even is one.  Just like the way a pre-nup works for marriage, if you define and agree how things end when they do, you will be much happier.

The Good: There are two optimal times to negotiate your employment contract.  First is before beginning the job. Second is when you are truly ready to leave, meaning you have something else solid lined up as in, contract in hand and ready to provide notice.

How to find and create allies at the top:

First and foremost, you need to spend time with the leaders.  This can be challenging in today’s remote work scenario, but well worth the investment.  If you don’t have a seat at the main decision table, then you will have to enjoy the scraps.

The Be’s: Be Consistent, Be Flexible, Be Listening, Be Creative, Be the Coach, Be Trusting, but also be Verifying.  The Good: Creating lifelong relationships which span companies allows you to work with the best people whom you trust, it’s totally worth it.

How to begin correctly:

1. Verify Org Structure (Who should the CISO report to?)
2. What is my budget? (Is it reasonable and appropriate?)
3. Can I bring my entourage?
4. What did I inherit?
5. What is the relationship with IT/Infra?
6. What about all the rest of the parts of the business?
7. Can I deputize resources?
8. Define the meaningful metrics you will be measured by and align with the business.

Many CISO’s report to CIOs, but this is starting to change.  Any reporting structure such as to the CTO, Chief Legal CRO, CEO can work, the key is to make you’re your leader is a champion for you while you ensure they understand Cyber.

The What is my budget discussion is interesting, and I do hope you find out.  At worst, you can always look back historically and say, “well, I was able to spend this much, so that was my budget”.

The question about bringing your own people is an important one.  Maybe you have a rock star who can do things that others cannot or maybe you just look for someone you can trust at the onset, before you have to create the trust.

Knowing what you’ve inherited can be gleaned in multiple ways such as leveraging past external audits, pen tests, etc, talking with the team, finding out what has worked and didn’t work.  The cliché is that once you’ve finally figured out what you have inherited, hopefully your 18months are not spent.  For the record, I’m not a fan of the 18-month cliché, but there is something to it.

The relationship with IT is the battle ground where you are either together, in the same foxhole fighting with the same purpose or you are not.  Of course there are shades of gray, hopefully not just the CISO’s grey hair.

Getting along with the rest of the parts of the business vs becoming their trusted partner to help them achieve their objectives is the difference between having a job and having a calling.  The most successful CISOs I know really help their business partners shine.

To the extent you can get folks from the other parts of the business to want to help with Cyber Security largely depends on what kind of luxury of time they have and their interest.  You can lead a horse to Cyber but you cannot make it think.

The Good: Beginning with the end in mind is a key strategy to help you build your best team with your best self.

How is it going along the way?:

1. First 90 days
2. First year
3. Year 2, are you still here?  (already lasted longer than 18 months)
4. Year 5, are you growing or stagnating.
5. Continuous consulting growth (yes, that journey)
6. What metrics are important to the business, to the customers, and to you as the CISO?  (ask this at each stage 1-5)

Think about it.  You can feel when it’s going well and you know very quickly and feel it when it is not.  Are you asked for advice, consulting, help?  Do you get unique assignments?  Are you asked to help solve business problems?  And do you?  Those pesky metrics keep coming back time and again, and just when you think you have them figured out some new thing like AI shows up.  Adapt, create, grow.

The Good: In the Air Force we learned the valuable exercise of retrospectives, and measuring what matters, use these concepts to your advantage.

The End Game:

Yes, I’m a Marvel fan, hopefully that is obvious.  What happens at the end is largely determined in the beginning.

1. Giving notice or waiting for the call?
2. How to make the call happen more quickly.
3. The Snap.  You and some or all of your team are fired. Access cut off, walked out, etc.
4. What is Garden Leave?

When you know its time to leave, do you wait for that call or just give notice.  You milage will vary.  There are strategies for both and its not going to be the same every time.  Just remember that its a small and tight knit industry, people talk, word gets around and its always useful to be nice.  If you need ot make something happen quickly, consider how to do even that gracefully.  And then there is the snap..what happens when your whole team are gone?  We have seen quite a bit of this lately, hopefully the companies will also try to play nice, because that word also gets around.

Garden Leave is where you are being paid, you have little to no duties and its a kind courtesy that is extended to a person to allow them extra time to find the next gig and move along with minimal interruption to their life.  More companies should do this and more CISO’s should work this in to their separation packages at the very beginning of contract negotiations.

The Good: Being true to yourself, in your own time, according to your own plan will give you peace of mind.  A good friend of mine who was my boss and has hired me quite few times explained the importance of being true to yourself.  This one piece of advice has served me well.

It’s English, but, I do not think it means what you think it means!:

1. “The company is going in a different direction.”
2. “We just want you to be happy.”
3. “There is a lot of opportunity in Cyber Security right now.”
4. “We can’t hire X resource because it creates a personnel monetary equity problem.” ~hr
5. “We need you to cut 15% from your budget…followed by…we need you to cut an additional 20% from your budget.”
6. “We have not had a breach, ever.  So why are we spending so much money on Security?”
7. “My SOC monitoring metrics from my old company looks like X, why does yours not look like this?”

I’m collecting these types of statements and will keep talking about them at the various conferences, happy hours, dinners, open mic night at comedy clubs etc.  You just can’t make this stuff up.  Its hilarious when its not happening to you.  Not so funny when it is.  Through pain we learn.  Know that if the company is going in a different direction, they have already been doing that for at least a few months and it is definitely without you.

The Good: Being able to ask clarifying questions and having honest dialogue wins every time.  Choosing the time and place carefully to ask the questions is key.

How to find the next Gig:

1. Friends, you thought you had.
2. Real Friends who can help and do.
3. Remember all those VARs and Manufacturers who called each week?  Where are they now?
4. Working your network (best process)
5. LinkedIn, Glassdoor, Indeed.  (minimally effective)

As CISO’s we get a constant bombardment from VARs, vendors, manufacturers etc.  Most of these folks have need to sell us something.  A few might be able to help you you’re your next gig, but in my experience, that is rare.  Depend instead on your network.  And it may be best to forget about LinkedIn, Glassdoor, Indeed, etc.  Build yourself some savings, or a consulting company and don’t place you’re your eggs in one basket no matter how many blowing dandelions and unicorns there are.

Whistle Blowing Considerations:

1. Understand the governing body and what they deem important/relevant:  For example, the SEC does not care if you blow the whistle if investors are not impacted, despite the company being a publicly traded company.  This from a former SEC lawyer.
2. Make sure your personal BC/DR is solid, once you report, you are not in the same game anymore.   You are now, really and truly, your own Cavalry.
3. If you report illegal activity, make sure you have solid proof, defensible in court and that it is preserved well.
4. Remember that thing about having your own lawyer?  It is key and cannot be overstated.  At the end of the day many companies get away with things because they know the optics of someone being a whistleblower really makes the whistleblower look bad and may make them unemployable, hence the need for a good savings program and/or your own consulting company.

The Good: Prudence means being careful about your choices and taking time to stop and think before acting.  You have everything you need to be able to choose correctly.

Key Takeaways:

1. There is no Cavalry for you the CISO, you are your own Cavalry.
2. In the US, it’s a right to work situation, your choice, your right.
3. Being true to yourself is the ultimate sacrifice, but worth it.

Being able to help companies, you’re your team, watch them grow, challenge them with unique opportunities and really making a difference in the world is what gets many of us out of bed each day.  I look forward to Mondays just as much as I look forward to Fridays.  I hope that never changes and I hope that its the same for you!

The Good:  Always remember the good that you have done, for your Partners, your customers/patients, the business, your peers, and your employees and contractors, and of course, your Family.

I would like to hear from you to continue the conversation.  Strategies on how to make CISO’s successful, what you’ve seen or done that works or where I might be able to guide or help.  Please reach out!

About the Author

Dan is a freelance writer for Cyber Defense Magazine and has spent his life developing and implementing communications between systems and developing systems and applications in Military, Healthcare, and Mining.  First, for the USAF, working on Navigation Systems on various aircraft, then in the Gold Mining industry for RTZ/Kennecott Utah Copper, and finally in the Healthcare Industry for Intermountain Healthcare.  He has a background in Electrical Engineering and Chemistry with emphasis in Healthcare Informatics and has specialized in Information Security and Assurance, earning his Certified Information System Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), both from the Information Systems Audit and Control Association (ISACA).  Additional certifications include: Certified Business Continuity Lead Auditor (CBCLA), Certified Ethical Hacker (C|EH), Payment Card Industry Internal Security Assessor (ISA and PCIP), and Information Technology Infrastructure Library (ITIL v3).

Winner Top Global Top CISO of the year 2023.

Dan has worked for Healthcare IT Vendors such as Cerner, GE, and IDX, and consults globally in Information Systems Security, Regulatory Compliance, Information Systems Audit, and Intellectual Property Assurance.

Some of Dan’s work includes consulting premier teaching hospitals such as Stanford Medical Center, Harvard’s Boston Children’s Hospital, University of Utah Hospital, and large Integrated Delivery Networks such as Sutter Health, Catholic Healthcare West, Kaiser Permanente, Veteran’s Health Administration, and Intermountain Healthcare.

Dan is a Board member, Past President, and Academic Liaison Director of the Utah chapter of the Information Systems Audit and Control Association, (ISACA), a Board member of UtahSec.org, a Board member and Past President of FBI Infragard Salt Lake City Chapter, member of FBI Citizen’s Academy Alumni Association, and member of the Security Technical Committee of Health Level Seven (HL7).  Board Member, Center for Excellence in Higher Education Program Advisory Committee.  Board Member, Utah Valley University Cyber Security Program Community Advisory Board.  Board Member University of Utah Eccles School of Business Masters in Information Systems (MSIS) Program Advisory Board.  Member BlackHat Network team.  Healthcare Customer Advisory Board Member, Proofpoint.  IEEE 2612 Cyber Medical Device Conformance founding member. 2023 Winner Global CISO of the Year.

Dan has served in positions as President, CEO, CIO, CISO, CTO, and Director for various companies, is currently CEO and Co-Founder of Mark V Security, Chief Information Security Officer, and Senior Management Consultant for Spectra Consulting Group, Current vCISO for Graphite Health, and Former Chief Information Security and Privacy Officer for Lifescan Global, Inc.

In his spare time Dan has previously volunteered as an Ice Hockey coach for over 14 years in various youth hockey associations in Utah, has served as Head coach for Riverton High School and Midget Major AA travel teams, earning USA Hockey’s highest coaching level 5 Master Coach.  Current volunteer efforts in building the future of infosec security professionals through University Board work, involvement in the local hacking scene, and mentoring students and co-workers.

Dan lives in Littleton, Colorado and Salt Lake City, Utah.

Dan can be reached online at: [email protected]