How should I spend my time as a CISO?

I decided that I would like to write again for Medium. For those of you that read my SecArch Files, I’ll do so under a new name given this new topic: CISO Contemplations. Moving from consulting to a new and executive role within my organisation is a big change for me. I will be sharing some of the questions I ask myself and how I go about solving them to become a better CISO. I am looking forward to your feedback and I hope these articles will help you in your role.

We’re coming to a close of week 2 in my new role as CISO. Counter to common consultant-practices, I am trying to ‘experience the organisation’ first. Quite passive — simply noticing how the team and our broader IT team works. As a consultant you are asked to address a specific situation, and problem-solving overdrive mode is our go-to. But the span of control of a CISO is quite wide. And so I first need to figure out what that span looks like before I can surmise what is going well and what needs work.

One of the things I have noticed is that the entire world now wants to meet with me. And I like meeting them. Building a strong network is the foundation for CISO success. But I also sat into meetings where I was unsure why I was attending. Having worked for other CISOs as a consultant, many felt they were only ‘firefighting’. They were going from incident to incident and had not enough time for strategy setting. That’s why this first ‘contemplation’ is on how I want to spend my time as a CISO.

On tracking time

Finding your time buckets

  1. People Quality Time. Meeting new people, maintaining relationships, coaching people in my team.
  2. Management. Interacting with our Dutch IT Management, the Information Security Team or CISOs from other countries.
  3. Personal Growth. Hard skills or soft skills training and receiving coaching.
  4. Security Strategy: Why are we doing this? Reviewing security maturity and business needs, vocalising a strategy, setting up improvement initiatives.
  5. Security Management: What are we doing? Decision-making on risks, budget, time, people allocation and program SteerCo’s.
  6. Security Operations: Let’s do something! Most operational responsibilities are with my team. I support in navigating business & IT through security processes, reviewing plans and incident management.
  7. Internal Community Impact. Sharing my vision and explaining security throughout the company’s business & IT. This can also be on talent, culture, leadership, D&I, sustainability and purpose.
  8. External Community Impact. Sharing my vision and explaining security outside of the company. E.g. by speaking on conferences, presence on social media, networking with other CISOs.

These are the things that I have come up with based on my first two weeks. I am curious to hear from you whether you use different ‘buckets’ or you think I missed out on something. I am also not sure whether these are all things I should be doing. I e.g. noticed I took part in quite some ‘security operations’ the last two weeks. To what extent are these part of my duties? Or were people just roping me into their work?

Setting time goals

  1. People Quality Time: 20% (8 hours)
  2. Security Strategy: 20% (8 hours)
  3. Security Management: 15% (6 hours)
  4. Management: 10% (4 hours)
  5. Personal Growth: 10% (4 hours)
  6. Security Operations: 10% (4 hours)
  7. Internal Community Impact: 7.5% (3 hours)
  8. External Community Impact: 7.5% (3 hours)

You’ll notice I have taken a 40-hour workweek as the basis. As a leader I like to role model a healthy work-life balance. I may work more when I want to, but sticking to a ‘normal’ week makes it much easier for the people around me to do the same. Besides, this entire post is about working more effectively. If you can’t do the things you need to do in this time, the first step should be to cut out the things that matter less instead of working more.

Performing a time audit

The results over this week show that security operations took a lot of my time. I did not spend enough time on security strategy. I said at the start of this post that I was ‘experiencing the company’ before bringing any ideas, so this is not surprising. Plus, security operations are an excellent way to learn how security in our company works. But this pattern, like with other CISOs, is something to be mindful of towards the future. For the upcoming time, I have now blocked 8-ish hours every week in my agenda to spend on security strategy. And who knows? We may find out that is 8 hours is too much and I should be re-routing it somewhere else. The other categories look pretty balanced when it comes to expenditure versus goal. I know I have weeks coming up that lean towards certain categories, so it will be interesting to see how the averages develop over time.

In conclusion

This article is written on my personal title. Although I talk about my experiences at work, this article does not necessarily represent the views of my employer.

Originally published at https://www.linkedin.com.

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account