What CISOs really want

The Top 3 Things They Want You To Know

by Josh Fu, Principal Security Engineer, Cylance

Living in Minneapolis is ‘pretty excellent’. Yes, it’s winter eight months out of the year, but we thrive in it. There’s good food, drinks, and events, and it only takes 20 minutes to drive anywhere. What’s even cooler is how many big companies there are here. I recently went to BrrCon, a free, technical cybersecurity training day sponsored by several of the large companies headquartered here, such as Target, 3M, and Medtronic. One of the first sessions of the day was a panel of Chief Information Security Officers (CISOs) addressing some of the most pertinent topics in our industry. They spoke on three major topics:

  • What are you most concerned about?
  • What key traits do you look for when hiring someone?
  • How do you work with your company executives to ensure the security of your organization?

What are you most concerned about?

The CISOs were most concerned about the same thing: the human phishing target. IDs and passwords socially engineered from an employee are the easiest ways to get into an organization because of human emotion, so they strongly believed that education and technical safeguards are really important. They found that geopolitical conflict due to additional sanctions can increase these external attacks from other countries. What happens is that people in these other countries still need to make money, so these adversaries increase attacks to try and gain access to funds or intellectual property. In addition to compromised credentials from external threats, inappropriate credential usage by insider threats was also a concern to the CISOs because insiders often know where the crown jewels are kept.

What key traits do you look for when hiring someone?

Being a good hire is less about your encyclopedic security knowledge than it is about who you are as a person. When posed this question, the CISOs listed these traits:

Contributor, trustworthy, transparent, has integrity, good work ethic, diversity, and humility as a leader

The skills to do the job were secondary to these traits. One of the CISOs shared a story from early in his career in which he took a risk, choosing to be direct with the company’s leadership. A major incident had occurred, but he was transparent about the situation and willing to show them the bad stuff. This decision demonstrated he could be trusted, even when issues involved personal risks.

How do you work with your company executives to ensure the security of your organization?

Executives want to hear what is happening, but in a way that is relevant to their home and children in plain, simple English instead of insecurity and tech jargon. Analogies are especially helpful.

For the most part, many executives don’t quite understand why their company is being attacked, so CISOs need to help them understand that this problem is not going away and that this is not a return on investment discussion. This requires changing their thinking and helping them understand that these attacks are a business model.

It’s often easier to answer questions posed by the board about external factors. The C-suite, however, is often the bigger challenge. The biggest question that CISOs must constantly answer is, “Are we good [from a security perspective]?” The answer is often, “We’re doing everything from an investment standpoint, but people are making money” because it is the truth, but it also leaves a little doubt.

Their notes to vendors

The CISOs provided some helpful advice because technology is part of each of their security strategies. Vendors need to provide information that CISOs can take to their executives, but the CISOs all said they’ll almost never answer a cold vendor email. They talk to each other and will take a meeting if the vendor is referred by their peers.

While I cannot truly understand each of the decisions that CISOs must make every day, I found their answers to be insightful, and they challenged many of the assumptions I think most people make about what they care about. To learn more about how Cylance can help you answer the “Are we good?” question, please reach out to us at sales@cylance.com. Thank you very much for your time and think about how you can help meet a CISO’s needs today.

About the Author

Josh Fu, CISM, CISSP, is a principal security engineer at Cylance, an artificial intelligence company focused on cybersecurity. Josh has experience as a channel manager and consultant in cloud infrastructure and as a technical account manager and sales engineer in cybersecurity. Josh founded the west coast chapter of the International Consortium of Cybersecurity Professionals while he was living in San Francisco and has presented in front of industry audiences and conferences around the world and for groups such as ISACA, ISC2, MGTA, IANS, and SANS.

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase