'Leading Up & Down The Chain of Command' As A CISO
I was listening to the audiobook “Extreme Ownership by Jocko Willink and Leif Babin”, sharing their experience as navy seals commanders and how to transform this experience to the realm of business.
I did not know what to expect from the book, Yes I know that many Cyber Professionals (including yours truly) love to consider themselves as “warriors of cyber”, fighting against the ‘bad guys’ and so many more battle metaphors.
But still, I had no clue to the level or the extent that a specific part of the book resonated with me, with my experience in the cyber managerial realm. One chapter specifically (Leading up and down the chain of command) really stood out and resonated with my experience as a cyber manager.
I was shocked at the level of similarity, and more importantly, the level of clarity and pragmatic approach this book can give cyber professionals to deal with our daily ‘missions.’
CISO’s and other managerial cyber professionals are currently in a challenging position in which they need to ‘lead’ both up and down the chain. They need to manage their teams and they need to also ‘manage’ their management and decision-makers.
So, I wanted to share a real-life experience that I have encountered whilst working as a Cyber Security Consultant to share what ‘managing up and down the chain of command’ means for me.
I was brought by the Chairman of The Board to an organization that had a strong and capable IT department, but no proper security team at the time. I was acting as a temporary CISO and project owner in a post-data breach situation to build a complete security methodology and team that would work together with the CTO and the IT team.
After several Board Level meetings, it was decided the entire overhaul project would be framed around GDPR compliance. The organization would have GDPR best practices including data encryption, DLP, SOC team, a new DPO role (and much more) as the company was post-breach. I was acting under the ‘command’ of the chairman, the board approved the entire plan and we officially started the project.
Challenges – Phase 1:
Following several planning sessions with the CTO and the IT team leader we understood that the company had a HUGE amount of legacy software and hardware (something I see in many companies – old computers running outdated operating systems, or an ERP system with compatibility issues.)
Newer computers running newer operation systems were a mandatory requirement to run the newest security tools, so the IT department had a huge challenge of upgrading the entire company and get the infrastructure ready for the security tools.
The CTO and the IT Team leader understood the scope of it and said they could do it.
Challenges – Managing down the chain of command:
The replacement of Legacy IT software and hardware started and the entire IT team was working nonstop, and of course, problems started to occur:
- The upgrade project was taking more time than initially anticipated mostly because several “top-ranking” departments were adding more challenges to the process. E.g ‘not allowing an upgrade to a specific department because they are working on the budget of that quarter and no one can interfere’, or ‘delaying an upgrade of specific software because they did not have time or will to train the new mid-level managers on the newer version’ etc.
- The IT team were avoided because staff didn’t want their computer and software changed (because who likes change….?)
In a meeting, I had with the team I remember hearing sentences like:
- The new project is taking so many resources we barely have resources to keep the day-to-day running and this is making our users angry about our service.
- Before this project we had it stable, we had it calm, people liked us.
- Before this project, we had no issues with Head of Departments and now we need to “fight” in order to get this project moving.
The IT team started to “hate the project”
I remember stopping and asking the IT team very directly, ‘what is the purpose of this project?’
They hesitated a bit and then replied ‘to get the company GDPR compliant, that annoying regulation/compliance thing.’
And I remember that I thought to myself, this is MY ERROR, I did not communicate the big picture well enough. They were so focused on the micro tasks they were not seeing the big picture, I did not communicate it as I should have.
I sat down with the team and explained to them very clearly that we all knew that the company suffered a data breach. They were lucky and the exposure was minimal but it could have been much worse, so bad it could have ‘killed the company.’ The Chairman of the Board got me in to make sure it will not happen again, this is my clear mandate.
The purpose of the project was to protect the company, to protect all the different departments, to protect the people, to protect their families whose livelihoods depend on the company. It was a real “fight for home”. The true purpose of the project was to protect the company so it will continue to be a home for many years to come.
I also explained that without the IT department being “all in”, we couldn’t get to the next phase of installing the security software, and without it, we will not be achieving a secure company.
As leaders, it’s our job and our responsibility to make sure that every person we are in charge of knows exactly what he/she is doing, and most importantly WHY. It isn’t just to “tick some regulation box”, it’s to secure the company that is a home and livelihood to most of the employees.
It’s all about communication, explaining why we do the things we do.
I also understood that my next task was to ‘manage upwards’ because the same issue was happening with the C-Suite and the heads of departments.
Challenges – Managing up the chain of command:
In the next Board meeting, I came down “hard” on several of the Department heads about them “not allowing” the work of IT.
Their feedback was very similar to the feedback of the IT team and was focused on their specific projects, their budgets, their tight schedules or goals etc. And most of them did not understand how their behavior was actually impacting the project itself. (They honestly didn’t make a connection with how can my “department slow down this entire project? it doesn’t make sense.”)
They knew the big picture, they knew the purpose of the project but they did not fully understand the steps that were required to “get us there” and again I understood it’s my responsibility to communicate clearly WHAT we are doing, and WHY.
So, I sat down the CFO, IT team leader, IT department and showed all the different steps in the checklist of installing ONE new computer. Getting it with all the required software etc. and all of this while keeping the user working on a temporary terminal.
I will never forget what the CFO said…”Wow – you do this WITH EVERY SINGLE USER” and the Team leader said “of course – we need to make sure all works 100% before we hand it over”
I used this opportunity to remind the CFO that all of this, all of this “hassle” is to keep the company secure. The same goal, exactly the same goal I explained to the IT team, the same goal that the Chairman of the Board told us to execute.
and following that, I requested (demanded) several things:
- No department will slow down the project no matter what.
- If there is a critical need for a “unique” scenario, the CFO will provide an additional budget for additional IT resources so upgraded can be done during nights or weekends.
The Bottom line – no one is too “special” to bypass our timeline. If more time is required – we “Buy it”!
The CFO agreed and during the project, additional budget resources were supplied and an external company was used to help with the new software installation, mostly during weekends, making sure there was zero impact on employees.
The ROI for the CFO was clear, all he needed is the understanding of “what is happening and why”.
In my role as the temporary CISO / Project owner, I needed to constantly make sure that I was ensuring clear communication and expectations between the team I was managing and between my “management”.
All must be aligned to the same goal and it was my responsibility to keep them aligned.
My experience has shown me that if you communicate clearly, make it goal originated, remove ego and be pragmatic, you will get both teams on your side.
The project was a big success and the company itself is a showcase for technological methodologies like “full encryption for non-structured information” and a global SOC team that mitigates most incidents before they have any serious impacts.
Plus, IT and the new Cyber team are working together better than ever. Both being able to get budget requirements from the board by communicating clearly their needs, the main goal, the steps to getting there and most importantly “what is the exact expectations of IT and Cyber from the Board”
Bringing it all together
Ultimately, when a CISO takes responsibility for a project, task, risk, or anything. There needs to be a very clear definition of WHAT THEY ARE RESPONSIBLE FOR and WHAT IS THE END GOAL?
And this needs to happen at board/decision-maker level before approval. Because ultimately, a CISO needs to be able to manage up, down (and sideways) to take ownership of challenges and correct issues as they arise. This can’t be done without very clear and explicit understanding.
In this instance I was able (and was given the authority) to ‘sit down’ members of high management, ‘demand’ from the C-suite because there was clear quantification before I took the project on. I knew exactly what the end goal was and it was my responsibility to communicate effectively to make it happen. But, without this clear ownership, it would have allowed delays, and potentially the abandonment of the project when some resistance was met.
You’ll always get resistance (people hate change even for their own good), but with the right ownership, you can be empowered to forge ahead and lead up and down the chain of command!
Eli Migdal – Co – Founder – Boardish