Successful CISOs should be mischievous, defensive, always plan for invisible threats, drive awareness, display expertise, and more, according to Ed Amoroso, AT&T's senior vice president and chief security officer.
Amoroso keynoted at AT&T Inc. (NYSE: T) annual cyber security conference in New York City this week, where he presented his "Top 10 Habits of Highly Successful CISOs" list based on his 30 years of professional experience. He delivered the list in his usual boisterous fashion, sprinkled with sports metaphors, and doused with a hefty dose of personal stories and insight. Here is his list:
- Encourages Mischief: Everyone that gets into security has a mischievous streak. They like getting to the bottom of things and figuring things out, and they should encourage the same on their team.
- Aligns for Financial Growth: CISOs have to be active and wiling to move their groups as they see fit, or push their teams toward where the financial growth is going to be. If the team or its capabilities are not growing, they are not keeping up.
- Doesn't Avoid Technology: Technology is, after all, the most important part of their job. This is where communication skills come in handy so that CISOs can drive awareness, show their expertise and also gain trust. (See also numbers 7, 8 and 9.)
- Takes Pride in the Defense: CISOs need to demonstrate that they are proud of what they do and play defense against threats.
- Tailors Compliance: CISOs should tailor a compliance program to solve a specific problem. When they hear "compliance," they should be thinking problem-solving.
- Plans for Emerging Threats: CISOs should be planning for an invisible threat like one prepares for an approaching hurricane on a sunny day. "It's a nice day, but I'm nailing plywood on the windows. Aren't you?" asked Amoroso. It's an important skill and habit for people to envision an invisible threat and build a program around it.
- Drives Awareness Views: CISOs need to be taking a different approach to awareness and getting a point across. They should be thinking: Who's watching it and who is measuring who's watching it? CISOs should start thinking about messaging to groups using social, mobile and video -- put something fun and interesting together and you might actually get someone's attention, he said.
- Participates in Community: Being part of a community is essential but the goal is trust. Community is an essential habit. CISOs must nurture and grow the habit of being social in order to establish trust with their peers.
- Displays Company Expertise: CISOs must know what they are talking about no matter what vertical they are working in. They need to learn the business and immerse themselves in the company.
- Patience with Executives: This habit runs against the grain of many and it includes self-reflection as well. After all, what the CISO is thinking about executives, is likely similar to what their own team is thinking about them -- almost like The Golden Rule.
I think his list is spot on with the exception of two missing items. One is Global Awareness. CISOs need to be on the pulse of what's happening in the world, politically and economically in order to truly be aware of emerging threats. Perhaps this would fall under "Plan for Emerging Threats" in his mind, but I'd add it as number 11 on my own list.
I'd also add Cultivate Creativity because in order to imagine your adversary and what they are targeting or going after, you certainly need a creative mind.
Do you agree with his list? Are there any you'd add? And don't miss my radio show next week with Jason Porter, VP of security solutions, AT&T, Oct. 13 at 2pm ET. Register here for the show: Cyber Security: What CEOs Need to Know Now.
— Elizabeth Miller Coyne, Editor, The New IP