A CISOs right hand on how security communications can build credibility across the organization
Jessica Walters is Senior Security & IT Program Manager at Tessian, and former Chief of Staff to the CISO of Cisco’s Security Business Group. I had the pleasure of working with Jessica in her former role and in this Q&A, she shares her perspective on how to use security communications proactively in building an effective security team.
You have a strong background in the security industry. What attracted you to working in cybersecurity?
I actually landed in security by chance! Almost 10 years ago I was lucky to be located near Duo, a rapidly growing startup in Ann Arbor, MI. This was before remote work was so widely supported, so I was grateful for the vibrant tech scene that has long found a home in our midwest town. I had been learning as an executive assistant and Duo had an opening to support their founders and the executive team. I’m so glad they took a chance on someone with no security experience and very little tech background, because it led to many opportunities for me to jump into new roles in IT and security that I would not have been able to experience. It’s there that I first discovered security is a good match for my skills.
Within that realm, you’ve held a somewhat unique role: Chief of Staff to the CISO at tech giant Cisco. What was it like to be the right hand of a CISO?
It is by far one of the most fulfilling roles I’ve had the chance to define and occupy. As a Chief of Staff you are constantly in a state of learning and growth which I enjoy. You’re also a key component in enabling the efficiency, working relationships, and reputation of your CISO and entire team. I love the variety of hats you get to wear as you carry this type of torch for the team. However, it can also be challenging at times when you’re working hard to bring the rest of the organization along with the critical importance of security.
A Chief of Staff in any business unit has to wear many hats. What is different about supporting a CISO than say, a VP of Engineering?
Supporting a CISO is definitely different from supporting other C-Level roles because security is such a cross-functional discipline. It intersects with every single part of an organization. Not only do security teams have to focus on delivering against our team goals, we also have to influence and support the goal delivery of other teams against our security objectives. These goals aren’t always high priorities for them, compared to the work that drives profit for the business-such as feature development. It’s a balance between making sure we aren’t standing in the way of other teams progressing towards their goals while also ensuring that they understand why prioritizing security outcomes drives the business forward in an equally meaningful way.
You had a firsthand view of what CISOs struggle with as leaders. What did you observe/learn in that regard?
By far the biggest challenge I see facing CISOs is the constant state of “educating the business” or evangelism they have to live in. They are constantly walking uphill, bringing the business along to understand why security matters. At the same time, they are always putting out fires and often must walk the organization back from decisions that inadvertently open up the business to risk. This can be emotionally exhausting and I suspect is why many in this role fight burnout.
I think the root of this problem stems from the second biggest challenge I see facing CISOs, which is not being included in critical conversation points. Some of the ways I’ve seen this manifest include:
The CISO is not considered an actual part of the executive team. This can be because of reporting structure (ie, the CISO reports to the CTO), or because of organizational hesitance to expand the size of their executive team. In this case, the CISO is unable to ensure that securing the business and its customer’s data stays at the forefront of strategy building conversations. And, in the case of companies building security software, an opportunity to have your in-house “voice of the customer” in early product strategy development is completely missed.
The CISO is not given an opportunity to interface with the board of directors. The board should understand and care about security investments and the best way to ensure that is to allow them to develop a healthy working relationship with their CISO. This is even more important in organizations that are building security software; your CISO is the best and most accessible asset the executive team and board of directors have in understanding the perspective of their customers. I have partnered with my CISO and others who are experts in this field, like Discernible, to develop content for the Board that is meaningful and builds trust in our CISO, and by extension with our entire executive leadership team.
The CISO and security team are not treated as an equally important pillar within the product development organization. I have worked in organizations where Engineering and Product have a very tight and well defined working relationship that was crafted without including the security organization. In this case, the security team is in a constant state of catch-up in the product planning and delivery processes. It’s inefficient and opens up the organization to unnecessary risk.
Tell me how strategic communications help a CISO get the outcomes they want, including budget, staffing, board support, etc.
Every communication coming from the CISO and security organization is incredibly important. You want the mission and goals of your security organization to be well understood and accessible by everyone so your partners in the business understand and appreciate how security intersects with their area of focus. Strategic, thoughtful communications really have the power to reduce friction and make the security evangelism process easier, which, as I mentioned, is a big part of every CISOs job. Clear, consistent security comms also have the power to make everyone in the organization feel empowered to contribute towards running a secure and trustworthy business.
As Chief of Staff, how were you able to use communications and comms experts to help your CISO be successful? Are there specific methods, tools, approaches you found worked particularly well?
Because the CISO is often incredibly busy with other parts of their role, communication efforts are likely to fall to their Chief of Staff or other team leaders. I’ve been lucky to work with Discernible in the past to help us refine and improve the communications coming out of our team. Some methods we’ve found important include:
A clearly defined security team mission and guidance for the team on how to actually live it. For example, what behaviors are expected from an organization with your mission and how should it be used by your team in decision-making?
A simple and easy to understand way to access your security team.
Meaningful reporting that captures the security team’s impact (not just outputs).
A regular cadence of live opportunities for the CISO and security team to share learnings and provide transparency to the value their work delivers.
Communications coaching for team members transitioning into new roles or stuck in a cycle of ineffective communications with a colleague. Effective communication often requires individuals to master multiple communication styles and be able to switch between them at the right time.
In my view, the most important part of all communications is transparency, wherever possible. Leading with transparency around what security actions you are taking - and why - is the best way to build trust with your security organization.
You also spent several years as a Security Program Management Lead at Duo. How did that experience help shape your approach to security communications and working with CISOs?
Duo was such a unique and special experience. I often say “I’m jaded!” because I’m not sure I’ll ever have the good fortune of experiencing such a genuine interest and care in always doing the right thing - for your people, for the business, and from a security perspective. I think this really was possible because the founders led by example and operated with this mindset from day one. They hired people who were passionate about security and understood the importance of securing the business and delivering a product that enabled our customers to do the same. It became part of the organizational DNA - everyone felt a part of our mission to “democratize security.” This strategic communication choice drove a sense of purpose in everything we were doing as an organization. I carry this mindset with me as I continue to think about building security programs and supporting CISOs. It’s not just about putting the right words on paper when building your organizational security plan…it’s about connecting your team and peers with a really important mission.
You say in your LinkedIn profile that you “feel strongly that we are humans before professionals, and I enjoy helping build teams that value this approach.” Given the stressful, often-chaotic nature of SecOps, how can teams create and maintain a human-centric approach to their work?
I’m SO passionate about taking care of people. This is true in general, but especially in SecOps and all security roles, you have to give people the space and support they need to show up as their full selves. Who we are at work is such a small part of the human experience and when we expect people to come in each day as only their work-selves we miss a really easy opportunity to build a trusting and safe team dynamic. We also have to give our teams the ability to recharge. This means holding each other accountable for taking time away and actually disconnecting when we do it. Leaders within your security organization play a huge role setting the tone within a team on this front. Managers have to trust their team enough to step away and also set healthy work boundaries every day (make scheduled messages in Slack your friend!)
To learn more about how Discernible can help you scale as Chief of Staff to the CISO, contact us here.