I had the rare opportunity back in May, 2018 to submit an “insight” to my colleague Todd Fitzgerald for a book he was writing. In the end, I was one of 75+ senior cyber professionals who did, and the result was an interesting combination of stories and reference material published as CISO COMPASS.
What made you decide on the topic/format for CISO Spotlight?
When I co-authored the book CISO Leadership: Essential Principles for Success (2007) with Micki Krause, we assembled about 20 people, some of the most prominent pioneers of the industry. I researched the areas that needed to be addressed, and then we met in a hotel in Chicago over a weekend to decide who was going to write which chapter. While that book was the first CISO book of its kind, I felt we could create a much better book if 1) it was written in one voice, 2) more CISOs were involved, and 3) it contained a logical flow for ‘the job of the CISO’ by including an organized roadmap vs. a collection of articles. Hence, the idea for CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019) was to write the roadmap completely myself, in one voice, and supplement the roadmap with experiences from those CISOs and cybersecurity leaders (over 75 participated) in the trenches. I also organized the approach by applying a management framework (McKinsey’s “7S”) to the cybersecurity issues so that we could think of leading cybersecurity as a business. I also wanted this book to represent experience, not theoretical ideas: practical ideas resulting from actual CISO challenges, the actions they took, the results achieved and what they would do differently if they had the chance. The result was a book that has value to new and experienced CISOs with a desire to learn from others as well as those considering the leadership track.
What was the hardest part in creating this work?
Writing a book is not easy. Even though this is my 4th and I have contributed to over a dozen others, the process is never easy. The idea that you can “write a page a day and have a book at the end of the year” is simply not true. While you may have a book at the end, it may not be one anyone wants to read! The writing process was the result of a lot of planning, and then once you create the plan, it changes constantly. Some days you could write for 10-15 hours barely taking a break, as one idea flows from another. Other days – you stare at a screen and after 8 hours and a page worth of output, decide it is a good time to go for a walk in nature – where the best idea you had all day suddenly comes! I found the hardest parts of writing were beginning a topic and ending it – in the middle, the words just came from who knows where! I wasn’t looking to become published with this book. I wanted to produce a good book that people would want and find useful in their work. The only way to do that is to review everything daily with a critical eye and ask, would this have value to someone? Hopefully this was accomplished.
What was the most interesting/unusual nugget you uncovered?
There are so many useful perspectives in the book it would be difficult to call out just one. What struck me, quite honestly, was the willingness of the CISOs to contribute, particularly during periods of their lives where they were dealing with ‘life.’ Sometimes we forget that CISOs are not a monolithic group. By that I mean that while we may listen to them on a panel about security issues, it is easy to forget that they also are humans living lives. I had contributors who were caring for a sick parent, recovering from personal hospital stays, finding a spare moment in an airport lounge, having babies, or in the midst of moving their families across the country for a new job. And yet…these people took the time to share their information. People in this profession are a caring, helpful bunch with a willingness to serve others.
Are there any broad patterns that emerged for you as you pulled it together?
Most definitely. I can see a maturing of our industry with the embracing of frameworks; the importance of developing the right, diverse, competent talent; discussions of risk; moving away from the technical CISOs of the early days; and truly operating security as a business partner.
Did CISO Spotlight help you figure out what your next book might be?
I have been asked if I will write another edition. I love hearing the question because it means the book has had a positive impact. People tell me they have Post-it notes all over the book. I met someone the other day that told me the book made him decide to pursue a career as a CISO. I can’t tell you what those comments do for me – while the book may have inspired him, the gift was really mine. He inspired me to write more, and yes, there will be more. I have a few ideas, whether another edition or a whole new book; I would love to hear from your readers! If I can find the time, I also plan on writing a (non-security) self-help book – Hint: read Chapter 13 in CISO COMPASS.
Thanks for your time!
To order your own copy of CISO COMPASS, click HERE.