Micki Krause

Are You a Savvy CISO? Learn How to Assess Yourself

As stated previously, this column focuses on some of the most fundamental components of an effective Security Program, namely the skills and competencies required by the security leader to implement a successful program. These traits, sometimes called the ‘soft skills’ of security management, are increasingly important as security risk management becomes a predominant Board room conversation.Chapter 9 of the newly published anthology, CISO Leadership: Essential Principles for Success [Auerbach Publications, New York, 2008] nails the message right on the head relative to what it takes to know if you are a savvy CISO. It also gives you very practical advice on how to achieve self-awareness for success.

This chapter is written by Billi Lee who has quite a reputation as a speaker, columnist and creator of Success Savvy seminars. In her chapter, which I summarize below, she makes a distinction between un-savvy and savvy, defining savvy as “the combination of personality traits, innate abilities, and learned behaviors required to assess environments and situations, and to adjust behaviors to achieve goals.”

The information in her chapter is invaluable, as she first provides us with a “Workplace Savvy Checklist’ as an introduction to some key workplace savvy behaviors. It’s not too often that a CISO, especially one who came up through the technical ranks, would feel confident in saying, “I’m aware when the climate turns political and can respond productively.”

Next, we are offered a 12 step program, so to speak, in her “12 Savvy Questions,” which are geared to help an individual or a group become savvy and stay savvy in any situation. In question 12, for example, Billie asks: “Who pays the price for the game I play?” She then goes on to explain: “Any decision you make will most likely affect others. Not wanting to play the game doesn’t absolve you from consequences your action or inaction imposes on others. Be aware, be responsible, and be accountable.”

All too often, CISOs are in denial about their effectiveness. In many instances, information security professionals become disappointed and disgruntled, moving from one company to another, blaming their lack of success on the situation or, worse yet, other people. Typical laments are: “My management doesn’t understand why we need security.” “I can’t get the funding.” “This company doesn’t care about security.” I need only point you to Todd Fitzgerald’s last entry in this column where he provides a synopsis of a CISO survey he conducted. The findings are quite revealing. There are lot of ‘less than happy’ professionals out there.

Now I’m not saying that many times, their complaints aren’t well-founded. Let’s face it, information security is not an easy sell, even in today’s risky environment. But, as William Shakespeare’s Polonius once said, “To thine own self be true.”

So, my recommendation, take the ‘Savvy profile‘. Assess yourself and then study the behavior-modifying information in Billi’s chapter.

And by the way, if you or and your organization is looking for a guest speaker, I can highly recommend her. Her topic is ‘spot on,’ her delivery is engaging and humorous, and she’s a real hoot!

Post a Comment

Your email is never published nor shared. Required fields are marked *