Seasoned CISOs know that failure to plan past a two-year window is dangerous—to both their company and their job security. But it’s all too common for many security strategies to look only two years out.
Imperva CISO Shahar Ben-Hador has been with Imperva for eight-and-a-half years—the last two-and-a-half in the role of CISO, just past that infamous two-year mark. He recently joined Paul Steen, Imperva’s Vice President for Global Product Strategy, to discuss the phenomenon of the “Two-Year Trap”, how he works to avoid it, and his thoughts on how CISOs can extend their job life expectancy with a long-term view.
Read highlights from their conversation below and listen to the complete recorded webcast here: “How Not to Get Fired as a CISO: Building a Long-Term CISO Strategy”
Paul: When asked to describe the role of the CISO in one sentence, you say “it’s to make sure that the company does not get breached.” But what if a company does get breached? Does that CISO get fired?
Shahar: I think a lot of InfoSec professionals used to believe that would be the immediate consequence, but I know of several CISOs who experienced a breach, and because they were so essential to their company and performed their job well—doing all the right things, both before and after the breach—remained in their role.
That said, it’s important to identify the threats you are working to protect against and agree on the priorities with your management team. Once you agree on the most important assets, develop great programs for those. If an asset outside of that gets breached, the probability is good that you’ll continue in your role because you focused your efforts on the right priorities for the company.
Paul: What sort of person is needed to be a CISO? What are the important qualities?
Shahar: A successful CISO needs to be both strategic—long-term plan, collaborate with teams, communicate to executive management and the board—and tactical. The devil is in the details. You can pick a great technology that’s right for the business, but you can also completely screw up implementation. I’m not saying the CISO needs to implement it on their own and know every aspect of every implementation, but a CISO needs to work with their team to make sure projects are managed down to the smallest detail.
Another quality would be embracing innovation. I think those who don’t will have a difficult time being a successful CISO. Threats evolve and adversaries innovate all the time, so defenses to prevent attacks have to innovate and evolve too. And businesses evolve as well. Think about a coffee shop chain that used to only take payments in store, but now offers mobile payment options and customer portals. As a company’s infrastructure evolves, so does their threat landscape.
Paul: There’s still that requirement to maintain the long view and look far enough down the road. How do you balance that?
Shahar: There’s a lot of hype about the next big thing, mostly from vendors who have a great new product to offer. As a CISO, I have to assess what’s going to be a fundamental technology over a longer period of time and what’s fundamental for our business. Sometimes it’s not easy and everybody makes mistakes. But the longer you remain in your role, your ability to predict what’s going to be a long-term success versus just a short-term trend improves.
Paul: It can be beneficial for a company to have a CISO who stays in the role for a while; they have the potential to be strategic with time. Why do CISOs change jobs? When do you typically see that jump happening?
Shahar: I’ve talked with a lot of colleagues about this and found some trends. I see CISOs who stay on the job for 15 years or more—typically very successful, seasoned people who are doing a great job for their companies. Then I see other CISOs who stay for about two years or leave shortly after. I think the reason for that is it’s natural for people to focus on and fix the immediate gaps, and it takes about two years to close the primary gaps you identify. Then I see CISOs who do not plan for a longer tenure because they think they may get fired. But the reality is if you don’t plan for a longer tenure, you very well may be fired! You can do a terrific job in two years, but if you haven’t planned for the third or fourth year, your role is at risk.
Paul: How can a CISO avoid that “Two-Year Trap”?
Shahar: Here’s what I do for myself and with my team. Every six months, I imagine that I just got hired into my job. Every six months, I look back to see what was done before my time, before my “new” time, and then review what might need to be changed with my team. Maybe something was right a year ago, but not anymore. This process keeps us very, very focused, both on the practical level, as well as the strategic level. We always have a plan for the next two years.
Paul: Of course, as a CISO, you can’t do the job without your team. If you can’t maintain a team, then that doesn’t bode well for your own longevity.
Shahar: Exactly. I think that part of a CISO’s role, and I’m not saying it’s an easy one, is to educate the company that there is essentially zero unemployment in InfoSec. That they need to be open to being more flexible and offering competitive packages. Employees want to reap the benefits of their efforts and many want to stay at the same company for longer than two years. In that case, it’s the CISO’s job to keep their team intact and work on keeping things competitive for those professionals.
Paul: What about looking at the long-term view of security?
Shahar: Here’s how I view it—every company has their own DNA. Every company has things they care about more than anything else for their business, their management and employees. That DNA is different for each company, and I think being a CISO for many years helps you better understand that DNA and how to protect it—whether it’s healthcare information, credit card information, a proprietary application, or what an application looks like. For some, it’s their cars, whether they’re vulnerable to attack and can be taken over. It’s fundamental for the CISO to understand what those critical assets are and focus on protecting them. The DNA may evolve over time, but more than likely not as fast as the attacks.
Paul: Would you give us some tips that you’ve followed to be successful when it comes to this long-term planning?
Shahar: Sure. My favorite is what I call red [and blue] team activity. Red team activity is pen testing performed internally, typically by very skilled employees who are kind of “hackers on license”. They are given free rein to break you wherever they want. My number one recommendation is to use this strategy as much as you can, and the more often the better. Exercise them on their own. Exercise them against the blue team—the blue team is the defense, the internal response function. It’s always better if they find something and not the adversaries. Yes, it creates a lot of work to fix their findings, but it’s always been successful and energizing for me and the teams.