Silence is golden, goes a saying.
It’s also a great tool for a new chief information security officer, a panel at RSA Conference 2022 in San Francisco told attendees this week.
“Your first 30 days, you should shut up,” said panelist Olivia Rose, CISO and VP of IT and security at data analytics firm Amplitude.
“There are a lot of people that come in [your] door and they start talking,” she said. “You have to shut up with your ideas. Just listen to what’s going on.”
The panel topic was things a CISO should do in their first 90 days on the job. Panelists included Allison Miller, CISO and VP of Trust at Reddit, who joined the company in February 2021, and Caleb Sima, CSO at online trading platform Robinhood, who joined his firm the same month –just after it announced a huge data breach exposed the information on 7 million users.
They all had a number of useful tips.
“I find that if you work for a tech company in the [San Francisco] Bay area and the founders and the C-levels are tech people, if you think you’re going to walk in there and they’re going to listen to you about security, you’re sadly mistaken,” said Rose, who was her company’s first security employee. “This is the last thing on their minds. The best way to do it is come up with creative ways. I recommend this to first-time CISOs all the time … You’ve got to come at people from the side. Talk their language.
“If you’re talking with an infrastructure person, talk their language. If you’re talking to somebody in the executive, you can go in with a high-level alignments, but you’ve got to connect. It’s all about trust and connection and coming up with ways to hit them right between the eyes.
“It can take five or six months, as it did for me. And I was literally pushing a boulder up a hill. One day they realized in engineering I’m not going away. I have no issues with being called annoying or being not liked. I really don’t care. You’ve got to be persistent, you’ve got to not go away. You’ve got to be seen as, ‘Oh, my gosh I might as well do as she says to get her off my back.’
“But also be clear and giving and meet in the middle.”
If you don’t have any haters you’re not doing the right thing, said Sima. “Part of the job I’m paid for is sometimes to piss people off. I have to stand up and say, ‘This is a real risk, this is something that scares us and we have to do something about it.’
“I will work as much as I can with an individual” who disagrees, he said, “but sometimes you have to take a stand. There will be people who will not be happy.”
“There is a way of framing things to definitely show where the gaps and problems are without necessarily saying someone is to blame,” said Miller.
- On what a CISO should do in the first 90 days on the job: Sima said one thing he did was circulate a questionnaire to employees about their relationship with the security team. Where there were negative responses he dug deeper to find out why, as well as to build relationships with those departments.
He also created two lists of 30, 60 and 90 day targets: The first list included his top three challenges. The second were the top three things that scared him. As time passed he marked progress on resolving them.
- On who is the CISO’s best ally: The software engineering team, said Rose, because they own a lot of the security controls. However, making them allies has to be done carefully, she added. “I needed to figure out who owned what and be very careful about pulling them away. Because even though engineering people don’t care about security sometimes, they don’t want to lose control of it when they have it. They don’t want to be told what to do when it comes to security.”
Second, she added, are the legal and privacy teams. “There’s nobody better when you’re on a Zoom call or any kind of meeting and something like a crazy idea from marketing or engineering or somebody comes up, and you just meet the eyes of the legal person in the meeting and [both of us] go “Uhhhhhhhhh.” You have a natural ally there.”
- On who your first hire should be: Rose hired a woman who was competing with her for the CISO post. That person had more technical skills than she has, Rose admitted. If you’re forming a new security team look first for generalists, said Sima. “Look for people who can wear multiple hats. And also look for people who are passionate or eager and can do a lot of different things. If you can hire three or five, make most of them generalists and hire one with the expertise to be a program manager who can make sure things get done.”
Find people who want to lead, agreed Miller.
- On speaking to the board: Tell a story, don’t just throw a bunch of slides with a bunch of metrics, said Sima. He usually has two slides: One, based on the U.S. National Institute of Standards and Technology (NIST) cybersecurity framework, he calls ‘Raising Safety Hygiene’ and which shows the company’s progress on cybersecurity maturity. The other lists the security team’s critical missions and the progress on those projects. Details are put in an appendix.