Liberty But No Boats
Strategies for successfully navigating the CISO challenges coming in 2024
CISOSOS #4
Liberty but No Boats.
"My mama always said life was like a box of chocolates. You never know what you're going to get.". Forrest Gump
That's putting a positive spin on things for sure. It is one reason we all love Forrest Gump.
Most, if not all of us, have other quotes and memes we use that reflects something less harmonious when we encounter obstacles and losses, particularly when we attribute those barriers to someone else. I can always tell when one of those fleeting thoughts crosses my mind (thankfully they are fleeting) because my WHOOP band reflects it accurately as a stress response.
If my WHOOP could talk: "Karen, your stress spiked for 23 minutes for no apparent reason. Oh, wait, that's the time you wanted to reach out an TOUCH someone".
But when we have those moments, fleeting or not, and they occur with regularity, they take a toll. And in cybersecurity as a CISO, we can live in such a near constant state of increased stress response that we normalize it. Award-winning actor Brendan Fraser likened it to the way we tune out faulty smoke detectors. It becomes baseline. And that's when the trouble affecting CISO well-being can really start.
Over the past two years, we have had three seismic-level events in cyber when it comes to the personal well-being of CISOs. Peter ("Mudge") Zatko, formerly CISO of Twitter resorted to federal whistleblower status to call out the alleged security problems at Twitter. Joe Sullivan, former CSO at Uber was charged and convicted for felony obstructions and misprision regarding a massive security breach at Uber in 2016. In late 2023, the Securities and Exchange Commission filed litigation against Tim Brown of Solar Winds with numerous allegations surrounding his role at the company leading up to the distribution of malware via their IT monitoring and management platform affecting tens of thousands of customers.
At the regulatory level, the SEC's new rules affecting cybersecurity risk management, governance, strategy and incident disclosure have introduced a high level of uncertainty about the role and accountability of the CISO which will likely continue throughout the year until the majority of SEC registrants get clarity on what is expected of them.
Just writing about it is anxiety producing!
My Navy Fighter Pilot father, whom I will most likely refer to on numerous occasions throughout this CISOSOS series had a phrase he used all the time to describe what it was to be accountable without authority.
"Liberty with no boats."
At the beginning of 2024, most CISOs of SEC registrants have liberty but no boats. They have their neck in the noose with no real ability to extract themselves from an untenable situation. We've seen it again and - back in 2017 at Equifax and more recently at Clorox, after a security breach, the CISO gets the blame and the boot. It is quite understandable that CISOs are not looking at 2024 as the surprise in a box of chocolates. It looks more like the light at the end of the tunnel, when the light is a train.
Personally, my style is one to get clear about the brutal reality of a situation so I can try to fix it. Here's the brutal truth: 2024 is going to be a rocky year with CISOs' justifiable anxiety about personal and career well-being, coupled with a very challenging year for SEC registrants to be ready for their 10-K disclosures on material cyber risk.
Nothing is so simple as just a list of things you need to know in this world, but for the sake of readability and because everyone LOVES lists, here are some survival strategies if you are the CISO, CSO, or Chief Trust officer of an SEC registrant:
The anxiety of the devil you know is better than anxiety about the devil you don't know. While it isn't reasonable to expect every CISO to know everything and keep up with all the statutory, industry and regulatory expectations as well as the latest threat landscape, security architectures, emerging technology (hello AI), and business drivers in an increasingly competitive landscape you do need to know who you can go to and trust to get you answers when. you need them. Write down a framework for the things you need to manage. Focus on priority projects that will help you meet your objectives (both business and personal), group them by affinity, identify the actions that will move the needle forward. List the gaps in your experience or knowledge so you can utilize your network to find the answers and resources you need. If you find you have a natural resistance to a particular area of work or necessary skill set, that can be a great use of a coach to help you overcome that barrier.
Don't let other people's lack of organization and/or direction muddle your clarity on what's important for YOU to achieve. Death by Meeting (great book by Patrick Lencioni) addresses one of the most ubiquitous problems in business today. The classic of quadrant two time management put forth by Stephen Covey is worth incorporating into your plan. You can still be a team player and keep your focus by using concepts in books like these with your colleagues.
Understand what is important to you. Tony Robbins taught me a method for creating the life I really wanted (hint: it is not all work). It starts by taking stock, being very honest about the quality of your life in the key areas that are essential to us all: emotional and physical health, relationships, time management, financial management, personal and professional growth, your mission and vocation (often this is Work), relationship with the Divine, meaningful contribution and celebration. You deserve to have every one of those areas operating at an 8-10 level but most of us don't because we invest far too much energy and focus in just one area: Work. Ask yourself what a 10/10 would be in each of those areas, then rate yourself where you are today. Set a juicy compelling goal for each area. One that I used was "I am in the best emotional and physical shape of my life.". Yes, I have a ways to go on that, the point is, it is a goal I keep in front of me to work on every single week. By the end of the year, I'll be better than I was at the beginning.
Comparison is the path to burnout. Jordan Petersons 12 Rules for Life includes this: Compare yourself to who you were yesterday, not who someone else is today. When you know YOUR life, YOUR goals it doesn't really matter what someone else is, or is not, doing. You are the only yardstick that really matters. Drive comparison of yourself with others out of you thinking.
Make this the year for the basics: Hydration, Sleep, Movement, Breath, and Stress Reduction. Your body is the consort to your soul. They are inseparable. One more glass of water, get enough sleep (we should do an entire session on this one), MOVE every hour, learn to get air into every cell of your body through breathing techniques, and become aware of your stress and how to reduce it. I am a huge fan of the free information provided on the Andrew Huberman podcast. If you are interested in improving these fundamentals of life, hit me up for a list of the best of podcasts.
With these five 2024 survival strategies under your belt, you can be very successful in what is sure to be a challenging year. Years that have the greatest challenges and personal risk in them are also the years for the greatest achievement and personal growth. Remember the words of Mae West: "I never said it would be easy, I only said it would be worth it."