Finding connection and resilience as a CISO

With sensitive information to protect and reputational risk always in the background, it isn’t easy for security leaders to have open conversations about what’s working and what isn’t. Yet strong peer networks and candid exchanges are critical for resilience, both organizationally and personally.

In this Help Net Security interview, Michael Green, CISO at Trellix, discusses how CISOs can build trusted communities, balance information sharing with confidentiality, and avoid burnout while leading at the highest level.

How can CISOs create stronger peer networks that allow for candid conversations about challenges and failures without fear of reputational risk?

To create stronger networks among CISOs, security leaders can join trusted peer groups like industry ISACs (Information Sharing and Analysis Centers) or associations within shared technology/compliance spaces like cloud, GRC, and regulatory. The protocols and procedures in these groups ensure members can have meaningful conversations without putting them or their organization at risk. They can use these communities as sounding boards for challenges their teams are facing in executing projects or complex compliance initiatives they’re rolling out, and as a result can save time and increase efficiency based on the insights their peers have to offer.

What kinds of peer-to-peer forums or informal communities provide the most actionable insights for CISOs?

Industry-specific groups and online forums can certainly offer valuable insights. Specialized communities focused on particular technologies (e.g., cloud security, IoT security) or compliance frameworks (e.g., PCI, GDPR, HIPAA) often provide detailed discussions and solutions directly applicable to specific organizational challenges.

Local or regional peer pods or security vendor forums, while requiring careful vetting, can also offer a broad range of perspectives and timely information on emerging threats and vulnerabilities. My advice to other CISOs is to seek out groups that prioritize value-driven exchanges, while also having established norms for respectful and secure information sharing.

Additionally, I always recommend that leaders seek mentors and mentees both within and outside of their industries. For example, a CISO mentoring a CIO/CTO or product owner within or outside of their industry can bring valuable insights and new perspectives on tackling specific roles or issues. Being a mentor serves as a valuable reminder of your own operational methods, and the experiences shared by mentees can always offer CISOs new learning opportunities.

How can CISOs balance the value of industry-wide information sharing with the need to protect sensitive details about their own organization?

Information sharing operates in tiers, each with specific protocols for data protection. Top tiers, involving entities like ISACs, the FBI, and DHS, have established protocols to properly share and safeguard confidential data.

Other tiers may involve information and intelligence already made public, such as CVEs or other security disclosures. CISOs and their teams may seek assistance from industry groups, partnerships, or vendors to interpret current Indicators of Compromise (IOCs) and other remediation elements, even when public.

Continuously improving vendor partnerships is crucial for managing platforms and programs, as strong partners will be familiar with internal operations while protecting sensitive information.

The CISO role can be isolating at the top. What practices have you found most effective for maintaining personal resilience and avoiding burnout?

Transparency and delegation is the key to avoiding burnout as a CISO. Cultivating strong relationships with executive leadership and board members plays a vital role, but beyond that, engaging and empowering technology leaders, product owners, and employees is also critical.

It’s important to regularly communicate the organization’s cybersecurity posture, potential risks, and the impact of security initiatives – this can, and will, build shared trust and understanding. This proactive approach helps to demystify cybersecurity, making it a collective responsibility rather than solely the CISO’s burden.

Additionally, encouraging a culture of continuous learning and development, not just with the security team but broader technology and product teams, will empower employees, distribute expertise, and grow a more resilient and adaptable workforce.

Equally as important is an emphasis on people, process and technology. Building a risk management program that enables the appropriate line of sight to corporate stakeholders and implementers allows organizations to tackle risk decisions for remediation collectively. Procedures, execution, and reporting can be a big lift in many organizations.

If you could change one thing about how the CISO community collaborates, what would it be and why?

Availability and resources are recurring themes for CISOs and their teams. Namely, CISOs don’t always have the time to participate in these different options for collaboration. I would advise CISOs to build on their ability to delegate to leaders within their organization to represent them in some of these communities.

It would be great for more CISOs to empower other internal cyber and technology leaders to listen, contribute, and bring back valuable information from these peer groups to their organization.