For the last 10 years I worked in the EU and Asia-Pacific regions, but in 2021, I became the Chief Information Security Officer (CISO) for a regional US Bank. This new experience has been both challenging and exciting.
Below are five key lessons learned from my first year as a CISO at a US bank.
1. Communication is the foundation of success
Maturing and building a cybersecurity program is a large task, but it can only be successful if key business unit leaders are supportive. To achieve this support, our team started monthly “alignment meetings” to review the program. Our team also sends weekly reports on activity to key internal leaders. This is in addition to regular briefings to internal committees, the board, and executives.
Finally, we initiated a major program to improve risk quantification and reporting so business leaders receive better information for decision making. This communication has helped foster transparency and support.
2. Prioritization is critical
The cliché is that “you can’t’ boil the ocean” and this is very true for the success of a large security program. As a CISO, I often see many problems I want to fix, but the reality is that if I try to do everything, then I may fail. Our team spent a year carefully analyzing our security needs and business requirements.
We then received input from internal stakeholders. Spend more time planning than acting. Prioritize carefully the actions that really value.
3. Global requirements and events affect everything
Privacy requirements are increasingly becoming extraterritorial. Business is global, with citizens of many countries interacting with our bank. Further expansion of online banking is likely to increase the diversity and global scope of customers. Any organization of the size of our bank ($23 billion US assets) has to consider global compliance and security requirements.
The threat of cyber attacks from events such as the war in Ukraine, has also reinforced the global nature of cybersecurity. Even a regional US bank, must stay aware of global events and requirements.
4. Use vendors that provide good support and value
Consolidate vendors and cut off those that don’t understand your needs or add value. As I moved from a security vendor to a customer, I quickly recognized the difference in how some vendors made work simple, while other vendors acted as if we did not matter to them. It has been important for our security team to identify vendors that we trust. As we consolidate our vendor list, we are focusing on the vendors that are truly helpful.
As a CISO, I have enough challenges. Having vendors that are easy to work with and helpful just makes everything easier.
5. Support your team and they will support you
Many times in my first year, I relied on my team to go above and beyond to get a project finished or manage a security event. Look after your team and they look after you. Make sure they are supported, both personally and professionally.
Focus on creating team well-being and a good work environment. This first year reinforced for me that I can’t do anything well if my team is not priority #1.
