What’s It Like for a New CISO?

As of this writing, I’ve spent six months in the role of Chief Information Security Officer (CISO) at Axonius, a rapidly growing technology company. Though I’ve held a variety of leadership positions over the years, working in this capacity and setting is new for me. I’ve been capturing aspects of my journey in talks and articles so that others might learn from my experiences.

What was my first month like? Having joined Axonius a few months earlier to lead Product Management, I benefited from knowing the company’s business goals, people, and culture. Still, it took some time to get adjusted to the new role and start feeling a sense of ownership. I captured my impressions and the resulting tips in this DarkReading article:

Your First Month as a CISO: Forming an Information Security Program

It’s easy to get overwhelmed in your new position, but these tips and resources will help you get started.

One of my team’s first projects was to unify identity management and deploy Single Sign-On (SSO). Our IT infrastructure is consistent zero-trust architecture principles, so it made sense to treat identity as the focal point of many security decisions. This effort mostly freed our employees from juggling multiple passwords, helped with enforcing access controls, and made it possible to automate user provisioning tasks.

In the process, I discovered that enabling SSO in many SaaS products can involve significant expenses. I shared my frustration in the following Infosecurity article:

SSO Out of Reach: SaaS Pricing Strategies Weaken Customers’ Security

Want to enable Single Sign-On (SSO) in a SaaS application that your organization uses? Be prepared to pay for this “privilege” as the fees will likely be more than you think. 

As the company’s cybersecurity program started gaining shape, I had the opportunity to form a budget. I used to advise others on such initiatives during my consulting days, but owning the program and being the one justifying expenses was another learning experience. I captured my observations in this Help Net Security article:

How CISOs Can Justify Cybersecurity Purchases

Without business-relevant details and the right context, the people reviewing your request won’t understand its necessity and significance to the organization.

Given that Axonius’ product is a cybersecurity asset management platform, I’m continuing to not only benefiting from our own tool but also considering how this foundational measure can advance a security program. Asset management is deceptively unsexy, yet incredibly useful when done right. I shared my view on the reasons for this on the company’s blog:

What, Why, and How of Cybersecurity Asset Management

Security leaders who’ve implemented effective asset management will live longer, healthier, and more fulfilling lives :-)

My perspectives on asset management and the role of a CISO in a technology company was also captured in the following 17-minute interview, conducted by Ed Amoroso of TAG Cyber:

Other ways in which I’ve publicly reflected on the CISO experience include the Life as a CISO interviews that I host at Axonius, such as my conversations with Sam Curry of Cybereason and Ray Espinoza of Cobalt.io. (Perhaps you should tune in.)

I’ve shared some of my lessons learned with a group of CISOs at a recent Bessemer Venture Partners event (that’s the photo at the top of this post). I’m also planning to give this talk, titled Reflections of a New CISO, at several conferences, including SANS 2020 and Gartner Security & Risk Management Summit 2020. Maybe I’ll see you there.

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. He is presently the CISO at Axonius and an author and instructor at SANS Institute. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more