ITBusiness.ca

RSA Conference 2022 – Advice to a new CISO: Shut up and listen

Silence is golden, goes a saying.

It’s also a great tool for a new chief information security officer, a panel at RSA Conference 2022 in San Francisco told attendees this week.

“Your first 30 days, you should shut up,” said panelist Olivia Rose, CISO and VP of IT and security at data analytics firm Amplitude.

“There are a lot of people that come in [your] door and they start talking,” she said. “You have to shut up with your ideas. Just listen to what’s going on.”

The panel topic was things a CISO should do in their first 90 days on the job. Panelists included Allison Miller, CISO and VP of Trust at Reddit, who joined the company in February 2021, and Caleb Sima, CSO at online trading platform Robinhood, who joined his firm the same month –just after it announced a huge data breach exposed the information on 7 million users.

They all had a number of useful tips.

“I find that if you work for a tech company in the [San Francisco] Bay area and the founders and the C-levels are tech people, if you think you’re going to walk in there and they’re going to listen to you about security, you’re sadly mistaken,” said Rose, who was her company’s first security employee. “This is the last thing on their minds. The best way to do it is come up with creative ways. I recommend this to first-time CISOs all the time … You’ve got to come at people from the side. Talk their language.

“If you’re talking with an infrastructure person, talk their language. If you’re talking to somebody in the executive, you can go in with a high-level alignments, but you’ve got to connect. It’s all about trust and connection and coming up with ways to hit them right between the eyes.

“It can take five or six months, as it did for me. And I was literally pushing a boulder up a hill. One day they realized in engineering I’m not going away. I have no issues with being called annoying or being not liked. I really don’t care. You’ve got to be persistent, you’ve got to not go away. You’ve got to be seen as, ‘Oh, my gosh I might as well do as she says to get her off my back.’

“But also be clear and giving and meet in the middle.”

If you don’t have any haters you’re not doing the right thing, said Sima. “Part of the job I’m paid for is sometimes to piss people off. I have to stand up and say, ‘This is a real risk, this is something that scares us and we have to do something about it.’

“I will work as much as I can with an individual” who disagrees, he said, “but sometimes you have to take a stand. There will be people who will not be happy.”

“There is a way of framing things to definitely show where the gaps and problems are without necessarily saying someone is to blame,” said Miller.

Other tips:

Exit mobile version