CISO Conversations: Aimee Cardwell

“You have to want to solve problems with people, instead of, or alongside, solving problems with code,” she suggests. ‘Most engineers enjoy solving problems; that’s why we’re interested in the field in the first place. It took me a while to realize that solving problems with people was just as much fun, if not, as in my case, more fun. That expands into a desire to build a team to help solve those problems.”That’s the first part. “The second requirement is a strategic outlook. Strategy is one of those things that’s hard to explain, but you know it when you see it. I think when you’re focused on solving a problem, it’s sometimes hard to lift your gaze and see the larger view. So, what are we trying to build? How are we moving the company forward? Is this a risk that’s worth taking? Is there a way that I could do this faster or cheaper? Is there a quicker mitigation that isn’t canonically pure, but is going to still achieve the right goal for the results of the company?”Aimee CardwellFor the CISO, tactics and strategy are not an either/or option. A CISO requires skill in both. The difficulty is encapsulated in the old saying, ‘Can’t see the wood for the trees’ (better known in the US as ‘Can’t see the forest for the trees’), which was included in John Heywood’s compilation of English language proverbs published way back in 1546. Today, applied to the CISO role, it implies that too much focus on the trees (tactics) can reduce perspective on the overall forest health (strategy). But at the same time, you cannot simply focus on the strategy since a single failed tactic, like the bad apple in the barrel, can spread to endanger the strategic forest.Cardwell gives a pertinent illustration. She was asked by another CISO, “How do you manage a team comprising thousands of people?” She replied, “You need a really solid team of individuals. If one is weak, you’ll spend a disproportionate amount of time in that person’s area, potentially micromanaging, potentially dragging out the process of trying to make that individual be stronger. So, I think individual tactics can have a huge impact on overall strategy – imagine your weak tree or bad apple was the head of your incident response. That would be a disaster.” To combine both a tactical and strategic understanding, she focuses on an application of the T-shaped management approach: deep knowledge of individual tactics with a widespread view of overall strategy.One team rather than a collection of different expertsThe security team is pivotal to a successful cybersecurity posture. There are two elements, not quite conflicting but not necessarily complementary, to the making of a successful team. Each person must be the most expert person available in their own individual cyber discipline; but these separate expert individuals must gel into one single cohesive team. The best cake comes from using the best ingredients mixed and blended by the skill of the baker. The CISO must be that baker.“I use empowerment as my number one tool,” says Cardwell. “Instead of simply telling people what to do, I try to bring everyone together as a single body and ask, ‘What should we do? Let’s develop our strategy and plan how to get there, together.’“I hate being told what to do,” she adds, “and I believe most people hate being told what to do. But I love being part of a mission, being part of a cause. So, the task is to get everyone to work together for that shared cause. The best way to achieve this is to define the cause together, to map out the route together, and achieve the shared destination together.” Rather than delegate a series of instructions, she empowers the team to find and achieve the tactics necessary for the right strategic outcome – one team rather than a collection of different experts.What type of person can achieve this goal of empowering others while still being the leader – what, in fact, is the primary and necessary character trait required to be a great CISO?“I’m torn between suggesting a deep sense of curiosity and a very low ego,” she says. “For me, they must both be present. You’re not going to be a great CISO if you’re not continuously trying to look deeper and deeper and deeper to find the root cause of a problem. But I also believe, if you feel you must behave as the smartest person in the room, you will drown everybody else’s ability to offer their own suggestions. Teams are only strong when every member of the team gets to be an operating part of that team. When there’s one person at the top, who’s the general and who’s always telling everyone what to do, the team will only be as smart as the general. So, I’m going to say low ego is the primary necessary trait for a CISO, because having a low ego also makes everyone better at curiosity.”CISO burnoutWhile a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

That’s the first part. “The second requirement is a strategic outlook. Strategy is one of those things that’s hard to explain, but you know it when you see it. I think when you’re focused on solving a problem, it’s sometimes hard to lift your gaze and see the larger view. So, what are we trying to build? How are we moving the company forward? Is this a risk that’s worth taking? Is there a way that I could do this faster or cheaper? Is there a quicker mitigation that isn’t canonically pure, but is going to still achieve the right goal for the results of the company?”Aimee CardwellFor the CISO, tactics and strategy are not an either/or option. A CISO requires skill in both. The difficulty is encapsulated in the old saying, ‘Can’t see the wood for the trees’ (better known in the US as ‘Can’t see the forest for the trees’), which was included in John Heywood’s compilation of English language proverbs published way back in 1546. Today, applied to the CISO role, it implies that too much focus on the trees (tactics) can reduce perspective on the overall forest health (strategy). But at the same time, you cannot simply focus on the strategy since a single failed tactic, like the bad apple in the barrel, can spread to endanger the strategic forest.Cardwell gives a pertinent illustration. She was asked by another CISO, “How do you manage a team comprising thousands of people?” She replied, “You need a really solid team of individuals. If one is weak, you’ll spend a disproportionate amount of time in that person’s area, potentially micromanaging, potentially dragging out the process of trying to make that individual be stronger. So, I think individual tactics can have a huge impact on overall strategy – imagine your weak tree or bad apple was the head of your incident response. That would be a disaster.” To combine both a tactical and strategic understanding, she focuses on an application of the T-shaped management approach: deep knowledge of individual tactics with a widespread view of overall strategy.One team rather than a collection of different expertsThe security team is pivotal to a successful cybersecurity posture. There are two elements, not quite conflicting but not necessarily complementary, to the making of a successful team. Each person must be the most expert person available in their own individual cyber discipline; but these separate expert individuals must gel into one single cohesive team. The best cake comes from using the best ingredients mixed and blended by the skill of the baker. The CISO must be that baker.“I use empowerment as my number one tool,” says Cardwell. “Instead of simply telling people what to do, I try to bring everyone together as a single body and ask, ‘What should we do? Let’s develop our strategy and plan how to get there, together.’“I hate being told what to do,” she adds, “and I believe most people hate being told what to do. But I love being part of a mission, being part of a cause. So, the task is to get everyone to work together for that shared cause. The best way to achieve this is to define the cause together, to map out the route together, and achieve the shared destination together.” Rather than delegate a series of instructions, she empowers the team to find and achieve the tactics necessary for the right strategic outcome – one team rather than a collection of different experts.What type of person can achieve this goal of empowering others while still being the leader – what, in fact, is the primary and necessary character trait required to be a great CISO?“I’m torn between suggesting a deep sense of curiosity and a very low ego,” she says. “For me, they must both be present. You’re not going to be a great CISO if you’re not continuously trying to look deeper and deeper and deeper to find the root cause of a problem. But I also believe, if you feel you must behave as the smartest person in the room, you will drown everybody else’s ability to offer their own suggestions. Teams are only strong when every member of the team gets to be an operating part of that team. When there’s one person at the top, who’s the general and who’s always telling everyone what to do, the team will only be as smart as the general. So, I’m going to say low ego is the primary necessary trait for a CISO, because having a low ego also makes everyone better at curiosity.”CISO burnoutWhile a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

For the CISO, tactics and strategy are not an either/or option. A CISO requires skill in both. The difficulty is encapsulated in the old saying, ‘Can’t see the wood for the trees’ (better known in the US as ‘Can’t see the forest for the trees’), which was included in John Heywood’s compilation of English language proverbs published way back in 1546. Today, applied to the CISO role, it implies that too much focus on the trees (tactics) can reduce perspective on the overall forest health (strategy). But at the same time, you cannot simply focus on the strategy since a single failed tactic, like the bad apple in the barrel, can spread to endanger the strategic forest.Cardwell gives a pertinent illustration. She was asked by another CISO, “How do you manage a team comprising thousands of people?” She replied, “You need a really solid team of individuals. If one is weak, you’ll spend a disproportionate amount of time in that person’s area, potentially micromanaging, potentially dragging out the process of trying to make that individual be stronger. So, I think individual tactics can have a huge impact on overall strategy – imagine your weak tree or bad apple was the head of your incident response. That would be a disaster.” To combine both a tactical and strategic understanding, she focuses on an application of the T-shaped management approach: deep knowledge of individual tactics with a widespread view of overall strategy.One team rather than a collection of different expertsThe security team is pivotal to a successful cybersecurity posture. There are two elements, not quite conflicting but not necessarily complementary, to the making of a successful team. Each person must be the most expert person available in their own individual cyber discipline; but these separate expert individuals must gel into one single cohesive team. The best cake comes from using the best ingredients mixed and blended by the skill of the baker. The CISO must be that baker.“I use empowerment as my number one tool,” says Cardwell. “Instead of simply telling people what to do, I try to bring everyone together as a single body and ask, ‘What should we do? Let’s develop our strategy and plan how to get there, together.’“I hate being told what to do,” she adds, “and I believe most people hate being told what to do. But I love being part of a mission, being part of a cause. So, the task is to get everyone to work together for that shared cause. The best way to achieve this is to define the cause together, to map out the route together, and achieve the shared destination together.” Rather than delegate a series of instructions, she empowers the team to find and achieve the tactics necessary for the right strategic outcome – one team rather than a collection of different experts.What type of person can achieve this goal of empowering others while still being the leader – what, in fact, is the primary and necessary character trait required to be a great CISO?“I’m torn between suggesting a deep sense of curiosity and a very low ego,” she says. “For me, they must both be present. You’re not going to be a great CISO if you’re not continuously trying to look deeper and deeper and deeper to find the root cause of a problem. But I also believe, if you feel you must behave as the smartest person in the room, you will drown everybody else’s ability to offer their own suggestions. Teams are only strong when every member of the team gets to be an operating part of that team. When there’s one person at the top, who’s the general and who’s always telling everyone what to do, the team will only be as smart as the general. So, I’m going to say low ego is the primary necessary trait for a CISO, because having a low ego also makes everyone better at curiosity.”CISO burnoutWhile a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

Cardwell gives a pertinent illustration. She was asked by another CISO, “How do you manage a team comprising thousands of people?” She replied, “You need a really solid team of individuals. If one is weak, you’ll spend a disproportionate amount of time in that person’s area, potentially micromanaging, potentially dragging out the process of trying to make that individual be stronger. So, I think individual tactics can have a huge impact on overall strategy – imagine your weak tree or bad apple was the head of your incident response. That would be a disaster.” To combine both a tactical and strategic understanding, she focuses on an application of the T-shaped management approach: deep knowledge of individual tactics with a widespread view of overall strategy.One team rather than a collection of different expertsThe security team is pivotal to a successful cybersecurity posture. There are two elements, not quite conflicting but not necessarily complementary, to the making of a successful team. Each person must be the most expert person available in their own individual cyber discipline; but these separate expert individuals must gel into one single cohesive team. The best cake comes from using the best ingredients mixed and blended by the skill of the baker. The CISO must be that baker.“I use empowerment as my number one tool,” says Cardwell. “Instead of simply telling people what to do, I try to bring everyone together as a single body and ask, ‘What should we do? Let’s develop our strategy and plan how to get there, together.’“I hate being told what to do,” she adds, “and I believe most people hate being told what to do. But I love being part of a mission, being part of a cause. So, the task is to get everyone to work together for that shared cause. The best way to achieve this is to define the cause together, to map out the route together, and achieve the shared destination together.” Rather than delegate a series of instructions, she empowers the team to find and achieve the tactics necessary for the right strategic outcome – one team rather than a collection of different experts.What type of person can achieve this goal of empowering others while still being the leader – what, in fact, is the primary and necessary character trait required to be a great CISO?“I’m torn between suggesting a deep sense of curiosity and a very low ego,” she says. “For me, they must both be present. You’re not going to be a great CISO if you’re not continuously trying to look deeper and deeper and deeper to find the root cause of a problem. But I also believe, if you feel you must behave as the smartest person in the room, you will drown everybody else’s ability to offer their own suggestions. Teams are only strong when every member of the team gets to be an operating part of that team. When there’s one person at the top, who’s the general and who’s always telling everyone what to do, the team will only be as smart as the general. So, I’m going to say low ego is the primary necessary trait for a CISO, because having a low ego also makes everyone better at curiosity.”CISO burnoutWhile a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

The security team is pivotal to a successful cybersecurity posture. There are two elements, not quite conflicting but not necessarily complementary, to the making of a successful team. Each person must be the most expert person available in their own individual cyber discipline; but these separate expert individuals must gel into one single cohesive team. The best cake comes from using the best ingredients mixed and blended by the skill of the baker. The CISO must be that baker.“I use empowerment as my number one tool,” says Cardwell. “Instead of simply telling people what to do, I try to bring everyone together as a single body and ask, ‘What should we do? Let’s develop our strategy and plan how to get there, together.’“I hate being told what to do,” she adds, “and I believe most people hate being told what to do. But I love being part of a mission, being part of a cause. So, the task is to get everyone to work together for that shared cause. The best way to achieve this is to define the cause together, to map out the route together, and achieve the shared destination together.” Rather than delegate a series of instructions, she empowers the team to find and achieve the tactics necessary for the right strategic outcome – one team rather than a collection of different experts.What type of person can achieve this goal of empowering others while still being the leader – what, in fact, is the primary and necessary character trait required to be a great CISO?“I’m torn between suggesting a deep sense of curiosity and a very low ego,” she says. “For me, they must both be present. You’re not going to be a great CISO if you’re not continuously trying to look deeper and deeper and deeper to find the root cause of a problem. But I also believe, if you feel you must behave as the smartest person in the room, you will drown everybody else’s ability to offer their own suggestions. Teams are only strong when every member of the team gets to be an operating part of that team. When there’s one person at the top, who’s the general and who’s always telling everyone what to do, the team will only be as smart as the general. So, I’m going to say low ego is the primary necessary trait for a CISO, because having a low ego also makes everyone better at curiosity.”CISO burnoutWhile a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

“I use empowerment as my number one tool,” says Cardwell. “Instead of simply telling people what to do, I try to bring everyone together as a single body and ask, ‘What should we do? Let’s develop our strategy and plan how to get there, together.’“I hate being told what to do,” she adds, “and I believe most people hate being told what to do. But I love being part of a mission, being part of a cause. So, the task is to get everyone to work together for that shared cause. The best way to achieve this is to define the cause together, to map out the route together, and achieve the shared destination together.” Rather than delegate a series of instructions, she empowers the team to find and achieve the tactics necessary for the right strategic outcome – one team rather than a collection of different experts.What type of person can achieve this goal of empowering others while still being the leader – what, in fact, is the primary and necessary character trait required to be a great CISO?“I’m torn between suggesting a deep sense of curiosity and a very low ego,” she says. “For me, they must both be present. You’re not going to be a great CISO if you’re not continuously trying to look deeper and deeper and deeper to find the root cause of a problem. But I also believe, if you feel you must behave as the smartest person in the room, you will drown everybody else’s ability to offer their own suggestions. Teams are only strong when every member of the team gets to be an operating part of that team. When there’s one person at the top, who’s the general and who’s always telling everyone what to do, the team will only be as smart as the general. So, I’m going to say low ego is the primary necessary trait for a CISO, because having a low ego also makes everyone better at curiosity.”CISO burnoutWhile a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

“I hate being told what to do,” she adds, “and I believe most people hate being told what to do. But I love being part of a mission, being part of a cause. So, the task is to get everyone to work together for that shared cause. The best way to achieve this is to define the cause together, to map out the route together, and achieve the shared destination together.” Rather than delegate a series of instructions, she empowers the team to find and achieve the tactics necessary for the right strategic outcome – one team rather than a collection of different experts.What type of person can achieve this goal of empowering others while still being the leader – what, in fact, is the primary and necessary character trait required to be a great CISO?“I’m torn between suggesting a deep sense of curiosity and a very low ego,” she says. “For me, they must both be present. You’re not going to be a great CISO if you’re not continuously trying to look deeper and deeper and deeper to find the root cause of a problem. But I also believe, if you feel you must behave as the smartest person in the room, you will drown everybody else’s ability to offer their own suggestions. Teams are only strong when every member of the team gets to be an operating part of that team. When there’s one person at the top, who’s the general and who’s always telling everyone what to do, the team will only be as smart as the general. So, I’m going to say low ego is the primary necessary trait for a CISO, because having a low ego also makes everyone better at curiosity.”CISO burnoutWhile a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

What type of person can achieve this goal of empowering others while still being the leader – what, in fact, is the primary and necessary character trait required to be a great CISO?“I’m torn between suggesting a deep sense of curiosity and a very low ego,” she says. “For me, they must both be present. You’re not going to be a great CISO if you’re not continuously trying to look deeper and deeper and deeper to find the root cause of a problem. But I also believe, if you feel you must behave as the smartest person in the room, you will drown everybody else’s ability to offer their own suggestions. Teams are only strong when every member of the team gets to be an operating part of that team. When there’s one person at the top, who’s the general and who’s always telling everyone what to do, the team will only be as smart as the general. So, I’m going to say low ego is the primary necessary trait for a CISO, because having a low ego also makes everyone better at curiosity.”CISO burnoutWhile a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

“I’m torn between suggesting a deep sense of curiosity and a very low ego,” she says. “For me, they must both be present. You’re not going to be a great CISO if you’re not continuously trying to look deeper and deeper and deeper to find the root cause of a problem. But I also believe, if you feel you must behave as the smartest person in the room, you will drown everybody else’s ability to offer their own suggestions. Teams are only strong when every member of the team gets to be an operating part of that team. When there’s one person at the top, who’s the general and who’s always telling everyone what to do, the team will only be as smart as the general. So, I’m going to say low ego is the primary necessary trait for a CISO, because having a low ego also makes everyone better at curiosity.”CISO burnoutWhile a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

While a leader must strive to get the best from the team, the CISO must also protect each member from the worst. In cybersecurity, that often means mental health. Working in cybersecurity is like living in a pressure cooker. The requirement is to let out excess steam before the pressure builds and breaks the cooker – and if it does break, that’s burnout. Burnout is both a tragedy for the person, and a danger to security.It is a chronic state of physical, emotional, and mental exhaustion resulting from prolonged and excessive stress. Tiredness can be ‘cured’ by a good night’s sleep. Burnout cannot. CISOs must constantly watch for any early sign of approaching burnout in their team members – but since ‘prolonged and excessive stress’ is almost part of the security job description, early prevention is better than waiting for the visible signs.“It’s a serious problem,” says Cardwell. “One of my approaches to handling this has been to introduce half day Fridays. No other department in the company has done this – but no other department gets a call at four in the morning saying get out of bed, we’ve got an emergency. It’s expected in security. Every person on the security team is basically on call 24 hours a day. If my expectation is that every individual will get out of bed or leave their dinner date or whatever it is – which I need them to do if we’re in the middle of an emergency – the least I can do is give back some amount of time that compensates for that time when we’re fighting a fire.”But for the team, it is more than just a few hours off – it is their CISO’s recognition that security professionals are firefighters subject to burnout. This feeling of being seen and cared for “really reduced the burnout across the team almost immediately and had a long lasting effect.”(This conversation was held on a Friday morning. Do you take your own advice? “I do. Actually, I plan to go to the beach this afternoon. But now that I’ve said that out loud, of course there’ll be an incident occur somewhere!”)Burnout is way beyond simple exhaustion. If it strikes hard, recovery is very difficult. Cardwell believes you need to catch it early to survive it effectively. “People don’t recognize that their mind is staying engaged with work for 50 hours and then 60 hours, until their spouse or their kids or their doctor says, ‘You got to stop. This is not healthy’. If that person can reach the early stage point and say, ‘Oh, I understand now. I don’t want to take another step. I’m exhausted. I don’t enjoy this…’ Only if they can recognize and remediate the acute stage before the chronic stage sets in can people recover from burnout – and not go there again.”Understanding a CISOWe use four key indicators to help us understand how CISOs approach their role. These are their view on the biggest difficulty in being a CISO; the best career advice ever received (it’s likely to be foundational to how they operate); the advice they give to aspiring and promising team members (it shows what they think is important for the next generation of leaders based on their own experience); and their view on emerging threats.A CISO’s biggest difficulty. “It’s impossible to prove a negative. When a CISO is doing a great job, nobody notices, because nothing is happening, and it’s very difficult to look back and say, ‘Hey, we haven’t had an incident for the last five years – just look at what a great job I’m doing.’ The problem is you can’t tell whether you haven’t had an incident because you’re lucky or because you’re good. It’s easy to say we’ve had 2 billion attacks over the past five years, and we’ve managed to thwart them all. But that just leads to one of the hardest problems: it’s difficult to say I need more money, even though we haven’t had an incident.”Best career advice received. “The best career advice I ever received,” says Cardwell, “is to bring people along by giving credit – always give credit, never take credit. If I want to get somebody to do something and they do it, then they get all the credit for that, and I don’t take any of it. The next time I ask them to work with me, they’re going to be more likely and eager to do so because they know that I’m going to give them 100% of the credit for the work that they do.”Advice given. “Advice I frequently give is to understand we are not alone in this. If you’re not working with your peers, you are not doing it right. The first thing I do in a new CISO role is to reach out to the chief privacy officer and reach out to the head of audit, because it will make me stronger. If I drop a seed into the soil of the audit department and say, ‘Here’s something I see, but I can’t get any traction on it’, within a couple of months they’re going to start an audit on that place. I don’t have to be the person driving it anymore. I’ve essentially reached out to a partner, and now we’re teamed up on that problem.”Same with privacy. “In many respects, the privacy officer needs to do very similar work to what I’m trying to achieve. If I get closer to that person and partner with privacy, now we can pool our budgets and use the same tools to do the things we’re both trying to do, instead of coming at the problem from different angles.”Biggest current threat. “We’re beginning to see AI-generated spam emails that are so completely personalized to a CEO or a CFO that they look like part of an ongoing conversation – a conversation between the CEO and CFO, complete with thread, but all fake. Whole conversations and back stories written by AI and then brought over to accounting to pay a bill or an invoice. That level of precision and personalization doesn’t get caught by spam filters. It’s a whole different level of social engineering that I don’t think we’re prepared for, and I think it’s going to be one of the next big issues that we must handle.”[Attend the CISO Forum at the Ritz-Carlton, Half Moon Bay]Related:CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer at AdobeRelated:CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From QualysRelated:CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy RosenRelated:CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

Source: SecurityWeek