One of the things most likely to put me into a strop is being told that "you can't do that!", particularly when such a statement is accompanied by absolutely no rationale as to why not. One common example of this is whenever I am told, or hear, or read, blanket statements about what CISOs (or other senior leaders) are, or are not, interested in. "You can't say that to a CISO, they're just not interested". Oh really?
I have a few issues with such a blanket statement. Firstly, lived experience. I'm not a great fan of being told that some of the things I've done didn't happen. Secondly though, don't you think it's a bit simplistic to stereotype all CISOs as having the same interests, with the organisations that they work for all being in the same position with the same dynamics? Consider the simple chart below:
You probably already know where I'm going with this. You can plot both individuals and organisations against these axes. There's also a time dimension - for example, a CISO may need to come in to fix a broken security function before then settling into a steady state. Individuals will often be more comfortable in specific quadrants - some folks love the challenge of driving difficult change, others love maintaining order. There are no value judgments here. Likewise organisations: some will be in a good state and looking to keep things ticking over as they are, others will be in the middle of the churn of a fundamental transformation. It helps when you have a match between the leaders and the organisation! But that's a different topic. Anyway. Depending upon where the CISO is sitting at the time of your conversation then you may well find that they are interested in different topics. Clearly, going to a meeting with an assurance-focussed CISO, comfortable with the status quo in a stable and mature organisation, and trying to talk about the practicalities of moving towards zero trust, security by design or devsecops is unlikely to go well. Mention of DAST, SAST and SBOMs may well induce a few eye rolls. However, if you're talking to a CISO that has staked their personal reputation on delivering just such a transformation, don't you think they may have at least a little interest in how they could protect that reputation by talking through the "how" of how such a transformation can be achieved in the real-world? I'm not suggesting we have to talk 0000s and 11111s, raw TCP/IP or any other deep technical jargon relating to security transformation (although some modern CISOs have grown-up in the industry and it's not necessarily an alien tongue to them), but we certainly don't have to limit ourselves to platitudes and quotes by our favourite analysts. Yes, there are some commonalities in the role of a CISO; the need to be able to manage upwards, the need to be able communicate with (and influence) business stakeholders, the need to be able to manage budgets, the need to be able to nurture and shield your team etc. However, if you find yourself being told that "the CISO won't be interested in that", then try asking the person telling you that whereabouts on the chart they'd place the individual CISO they have in mind. They may be right. But they may not be. It's probably worth finding out.
