Tom Byrne’s Post

View profile for Tom Byrne, graphic

Strategic Recruiting Partner To IT & Cybersecurity Decision Makers🔹"THE IT Headhunter"🔹 35 Years of Recruiting Experience 💻 🔒

A CISO is Not a CISO when: * They lack the requisite qualifications: A CISO should possess a deep understanding of cybersecurity principles, industry standards, and best practices, often supported by relevant certifications. * They do not have executive-level authority: A CISO needs the authority to make strategic decisions, allocate resources, and influence organizational priorities to ensure adequate cybersecurity measures. * Their cybersecurity strategy is misaligned with business objectives: A CISO must develop a security strategy that aligns with the organization's overall goals and risk tolerance. * They fail to communicate effectively: A CISO should be able to articulate complex security concepts to both technical and non-technical stakeholders, fostering a culture of security awareness. * They neglect risk management: A CISO must continuously assess and manage risks to the organization's security posture, ensuring proactive protection against threats. In summary, a CISO is not a CISO if they cannot effectively protect the organization's assets, ensure compliance with regulations, and maintain a secure environment while aligning their efforts with the broader business strategy. *** Note, this posting is not meant to differentiate infosec/cyber leaders by job titles alone.

Todd Stringer

Security Strategist | vCISO | CPE | CICP | CISSP 🛡️

2mo

Great points. How do you spot organizations who hire the "Not a CISO" roles?

Andy Robinson

Cyber Security Leader, Risk Management Innovator, Complex Systems Scientist, and Heretic

2mo

Tom, I love your article! Two things: First, I argue there are no such things as "best practices." We may use common practices as a starting point, and there may be legal and regulatory requirements that prescribe specific practices, but those are almost never the BEST practice in any given risk environment. For example, I've written a spate of articles about password complexity rules and frequent change rules, which are followed as "best practices" even though they actually incur a realized loss far greater than any security risk they mitigate. Second, many enterprises subordinate security leadership and domain expertise to finding a specific progression of TITLES through similar corporate entities. This may mitigate your point about a misaligned strategy, but it also tends to focus on non-security skills, capabilities, leadership, and communication experience. In other words, their search criteria are upside down but rarely stated that way. But your last point is solid gold, and my first point above reinforces it: a CISO must apply risk management principles to everything he does, and he must include both upside and downside risks from other business functions than just security. Thanks for a great post!

wingkam wong

Senior Information Technology Manager at IOI Corporation Berhad

2mo

A CISO should refuse to take MCQ ( multiple choice questions) IT security certification https://www.businessinsider.com/mark-zuckerberg-technical-skills-important-leadership-management-2024-9

Like
Reply
Marshall Ringler, CISM

Experienced IT leader with 20 years of driving innovation and excellence in technical solutions

2mo

Its also important that companies do not use the CISO as a scapegoat when there is a breach or other incident. Those events are learning opportunities for the individual and the entire organization. Companies that fire their CISO because an APT beat their team's defenses remove the foundation of their security structure and create a culture defined by a fear of failure.

Like
Reply
Val Popke

Cyber Denizen | Autological Intelligence/Manual Learner | Sense Maker | Quality Catalyst | Leader Grower | Information Protector | Digital Enterprise Hygienist | Attack Surface Reductionist | ESGRC Integrator | Word Nerd

2mo

A GRC discipline so embedded and dedicated to IT controls that one became all but indistinguishable from the other for a generation or two... It's good to be a part of the path toward a homecoming. Hopefully ESGRC Architecture is more than a side quest along the way.

Like
Reply
Eric K.

ISSO | CompTIA Security+ | Veteran

2mo

Sounds alot like the material tested in the CISM exam

See more comments

To view or add a comment, sign in

Explore topics