Good CISO/Bad CISO
Long ago, Ben Horowitz delineated good and bad product managers in his Good Product Manager/Bad Product Manager post. I've had good and bad CISOs and realized Ben's thoughts are broadly applicable to the CISO position and leadership roles.
Good CISOs understand the threats, the vendors, and the security culture of their organization extremely well and operate from a strong basis of knowledge, experience, and confidence. A good CISO is the builder of bridges. A good CISO takes full responsibility and measures them in terms of the buy-in from their stakeholders. They are responsible for the right solution at the right time. A good CISO knows the context going in (the company, revenue, funding, attitude of stakeholders), and takes full responsibility for devising and executing a winning plan.
Good CISOs focus on doing the common uncommonly well. Bad CISOs always focus on the cutting edge. Good CISOs question industry standards and policies. Bad CISOs take industry standards and policies and blindly enforce them.
Bad CISOs have lots of excuses. Not enough funding, the engineering manager is an idiot, most security organizations have way more budget and engineers, I'm overworked, and I don't get enough direction.
Good CISOs don't get all their time sucked up by the various internal teams that must work together to implement a security solution. They don't take all the security team minutes, they don't project manage the various functions, and they are not gophers for the security team. They are not part of the security team, they manage the security leadership team. Good CISOs crisply define the target, the “what” (as opposed to the how) and manage the delivery of the “what.” Bad CISOs feel best about themselves when they figure out “how”. Good CISOs communicate crisply to the business in writing as well as verbally. Good CISOs don’t give direction informally. Good CISOs gather information informally.
Bad CISOs complain that they spend all day answering questions for the business and are swamped. Good CISOs anticipate risk and build real solutions. Bad CISOs put out fires all day. Good CISOs take written positions on important issues (tough architectural choices, tough product decisions, systematic risks to attack or yield). Bad CISOs voice their opinion verbally and lament that the “powers that be” won’t let it happen. Once bad CISOs fail, they point out that they predicted they would fail.
Good CISOs focus the team on delivering solutions and building stakeholder relations. Bad CISOs focus the team on how many vulnerabilities they're closing.
Good CISOs define their job and their success. Bad CISOs constantly want to be told what to do.
Good CISOs are disciplined. Bad CISOs don’t value discipline.