The best CISOs think like Batman, not Superman

Many CISOs see themselves as Superman — soaring overhead, cape fluttering, and ready to swoop in and save the day at a moment’s notice if a crisis arises. There have been entire summits and award ceremonies based around the idea of CISOs as superheroes, and there’s even a web tool that will let you figure out your own “security superhero” alter ego.

But the best CISOs aren’t superheroes — or at least, not superheroes cut from the same cloth as the Man of Steel. The reality is that problems quickly emerge if a security chief believes their job is to be a universally beloved hero, basking in the gratitude and admiration of those they protect.

When you see yourself through that lens, it’s far too easy to start making decisions that please people in the short term and failing to make the tougher decisions needed to keep them safe over the long haul.

As any CISO knows, cybersecurity is a tough job that seldom earns much in the way of thanks or recognition. In fact, the most successful CISOs are often required to act in ways that make them deeply unpopular. To do the job right, in other words, you need to make your peace with being an anti-hero — and that means learning to think less like Superman, and more like Batman.

Think like the Caped Crusader

Why should CISOs learn to think like Batman? For starters, Batman knows that fighting crime isn’t a popularity contest and doesn’t expect thanks from the people he’s trying to protect. In the same way, CISOs should accept that if they’re popular, they’re probably doing their job wrong.

People should feel a bit of angst when the CISO’s shadow falls over their desk — because the CISO should be prodding them to make uncomfortable decisions, badgering them to do better, and preventing them from settling into complacency. Your role isn’t to keep people happy — it’s to keep them safe, despite the groaning and muttering your efforts inspire.

Batman also knows that you can’t fight crime by basking in the sunshine. Instead, you’ve got to know the city’s underbelly and fight crooks and gangsters on their own turf. In just the same way, CISOs need to live with a foot in the underworld. It’s only by understanding the way that hackers think and operate that you can hope to keep your organization safe, and that means knowing your way around the murkier corners of the dark web and spending plenty of time tracking the scripts, strategies, and other dirty tricks being shared by the black-hat crowd. Superman might be able to do his job by soaring over the metropolis, but CISOs need to get down in the gutter to beat cybercriminals.

Superman’s clean-cut approach to fighting crime also contrasts with Batman’s grimmer and grubbier way of getting the job done. Superman is idealistic and trusting; Batman is a realist with a healthy dose of paranoia. In the same way, CISOs need to see most people, processes, and technologies as potential sources of risk. Instead of looking for the best in people, they need to assume the worst, so they can be prepared to counter vulnerabilities and respond to security breaches swiftly when they occur.

Finally, it’s worth remembering that Superman was born with incredible strength, X-ray vision, and other spectacular superpowers that let him defeat almost any enemy without breaking a sweat. By contrast, Batman must take on villains with just his own cunning and a Batcave full of innovative gadgets.

In the same way, CISOs can’t assume they’ll automatically be able to defeat any threats. It takes real work and preparation to beat cybercrime, and CISOs need to stay on top of all the latest cybersecurity innovations to make sure they’ve got the right tools on their utility belts.

Be an anti-hero, but not a villain

What does all this mean in practice? Well, it means that as a CISO, you need to get used to the idea that people won’t typically cheer when you walk in the door each morning. In fact, you may well get a few dirty looks when you arrive, especially if you’ve just shot down a project that would have introduced a critical vulnerability or rolled out new security measures that complicate people’s workflows or require them to learn new habits. That’s regrettable, but it’s also a sign that you’re doing your job well.

There’s a fine line, of course, between being an anti-hero and being a villain. CISOs should recognize that their duties make them unpopular, and that many of the security measures they introduce risk making people’s lives more complicated. But they should stop short of reveling in making people miserable.

Batman might bloody a few noses to keep Gotham safe, but he lives by a code that ensures he never puts civilians in danger. And precisely because they’re taking unpopular measures, CISOs have a responsibility to explain the need for the policies they introduce, and to ensure their actions are always proportionate to the threats they’re trying to counter.

The bottom line: CISOs are superheroes. But they can’t expect acclaim or gratitude. Their job is a thankless one that requires them to protect their organization without much recognition, using guile and technological knowhow to plug vulnerabilities that others miss or to prevent looming crises that others fail to spot or refuse to acknowledge. Like the Dark Knight watching over an ungrateful Gotham, CISOs won’t win any medals for their efforts — but they’re the heroes we need during these turbulent times.