CISO Rule #1: Don’t be a douche…

By Mike Rothman

Let’s take a look at Adam Shostack’s recent post, “The Phoenix Project may be uncomfortable”.

First of all, I haven’t gotten a chance to read Gene Kim’s new book “The Phoenix Project,” but they were kind enough to send me an electronic copy and I will get to it soon. I love the idea of teaching important lessons via a fictional story, even for technology stuff. As much as I like technical books, I don’t read them. I consult them when I have a technical question. But I read stories, and learn by osmosis when plowing through a story I enjoy. In fact I wrote one a while ago using a similar tactic.

Now onto one of the characters in the book, the CISO of the fictional company in Gene’s book.

So let’s talk frankly about John. John is a shrill jerk who thinks it’s a good idea to hold up business because he sees risk. He thinks of his job as risk prevention and compliance, and damn the cost to the business.

If this isn’t the stereotypical security person, I don’t know what is. Of course, there is a reason for that. It seems this whole good guy/bad guy thing is taken too far by too many senior security folks. They get drunk on the power, abuse it, make a mistake, and sooner rather than later are looking for their next gig.

Understanding where security fits in a business proposition gives me not only understanding but even sympathy for business leaders who listen to someone claim that if only the CSO reported to the CEO, they’d have a voice. That’s backwards. If the CSO has an understanding of the business, they’ll have a voice, and won’t need to report to the CEO. Also, the CEO is not the person with cycles to mentor a CSO to that understanding.

Here Adam hits the nail on the head. Playing in the C-suite is all about business, not technology. If you don’t understand your business, you can’t do the CISO job. It’s as simple as that. The Pragmatic CSO is all about understanding that game, also discussed in this recent SC Mag interview.

But first and foremost, to be successful as a CISO you need to be a team player. And you need to understand who your customers are.

No Related Posts

People always tell us reports for C-levels should be written in a way “that an eight year old would understand it”.

We could safe soooo much money by hiring an actual eight year instead of them.

Ok, maybe two or three of them, for redundancy -
they nap a lot.

By Carl Noba

Isn’t it a shame that after all of this time there are still security folks with that mentality. Especially at the top. They definitely need to read the P-CSO. Still one of my favorite security books.

By Andy Willingham

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.