Fractional CISO Fundamentals
Our company culture. These fundamentals guide us to achieve personal and business success. They help us secure ourselves and our clients to create a safer world.
Our company culture. These fundamentals guide us to achieve personal and business success. They help us secure ourselves and our clients to create a safer world.
We follow good security practices unapologetically. It is okay when things take longer if we are following good security practices. Security is sometimes annoying. Guess what is even more annoying: Getting compromised! We consistently improve our security behavior. What was fine yesterday may not be fine tomorrow. Security first!
Be a lifelong learner. We are in the early stages of the cybersecurity industry. What is true today will not be true in five years. You must stay current with your security knowledge. You must learn new methods and concepts about security. You often learn by doing, but sometimes you need formal training.
No two clients are the same. What might make perfect sense for one client does not make sense for another. We should not have stock answers for questions that are situationally dependent. We calibrate our answers specifically to the environment, the assets, the values, and the risk tolerance of the organization.
Use the ISC2 Code of Ethics Canons when attempting to resolve an ethical problem: Protect society, the commonwealth, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; Advance and protect the profession. Remember, clients come first except when society demands that they don’t.
When you say you’ll do something, do it. Be reliable and deliver on your commitments on time, every time. Be prompt and ready for all phone calls, appointments, and meetings. If a commitment can’t be fulfilled, notify others early and agree on a new commitment to be honored. Take ownership of all of your commitments.
Clients hire us because they need expert guidance. We should always be adding value to the client experience. The client decides what’s valuable, not us. If we’re not delivering value, we need to change our approach.
Ideally, our employee manual would be three words long, “Use Good Judgment.” Good judgment means taking time to pause and question your assumptions. Asking for help when you are not sure is using good judgment. When in doubt, act in Fractional CISO’s best interest.
We opportunistically look for ways to improve ourselves, our company, and our clients. When we see an opportunity, we act on it and share it with every client and employee that can benefit. We give employees lots of freedom, power, and information so they can take initiative at Fractional CISO.
You need to take notes during client (and other) meetings. You will rarely remember what happened in the meeting the next day, week, or month. These notes can be valuable tools for a better understanding of the clients’ needs and requirements. Clients expect us to capture all important details and are reassured when they see us taking notes.
World-class organizations are built on a foundation of highly effective, repeatable processes. Look to create processes for every aspect of your work. Create great checklists, templates, automation, and documentation for other employees to benefit from your learnings. Use those processes to achieve consistent results. Campground rule: Leave things better than you found them.
Business leaders understand dollars and probability. They do not understand technical jargon or ill-defined words. “10% chance of a $5 million loss” is much better than “high risk.” High, medium, and low don’t mean anything if not defined in a particular context. If you say that “low likelihood” is a 1% chance or less of occurrence, then everyone can be similarly aligned as to what it means.
Listening is more than simply “not speaking.” Give people your undivided attention. Be present and engaged. Quiet the noise in your head and let go of the need to agree or disagree. Create space for team members to express themselves without judgment. Listen with care and empathy. Above all, listen to understand.
Appreciate: When you receive feedback, you need to overcome the natural resistance to criticism and instead ask yourself, “How can I show appreciation for this feedback by listening carefully, considering the message with an open mind, and becoming neither defensive nor angry?”
Accept or Discard: Listen to and consider feedback provided. You are not required to follow it. Say “thank you” with sincerity. The decision to react to the feedback is entirely up to the recipient. (Follow the 4A feedback guideline. See Give Great Feedback.)
We share information deliberately. While we keep client-specific information confidential, we broadly and openly share learnings from client work. We share internal information openly when it does not impinge on the privacy of employees. We make sure that people have the information they need to perform their jobs.
When employees are experienced in a skill, it is the responsibility of the leader to enable the employee. Leaders provide context so teammates have confidence to make good decisions. Employees must make certain that they understand the vision and strategy. It is up to the individual employee to use good judgment and execute properly.
We get back to clients, partners, and fellow employees in a timely fashion measured by the sender’s expectations. Sometimes we don’t have the final answer. Telling clients “I am working on it and will have your answer on Thursday” is being responsive. It reassures them that you’re on it. If the deliverable is multi-week then make sure to give periodic status updates.
While employees are responsible for their individual contributions, success at Fractional CISO is shared. The team is responsible for wins and losses. We all need to work hard to support our teammates for shared success. We all need to hold ourselves and each other accountable.
Gong! There is no better sound than that of the gong ringing after the success of a project. Make sure to celebrate life’s and work’s successes by ringing the gong. When in doubt, ring the gong! Not only is the gong a physical instrument, it is also a metaphor. Make sure to ring the gong by congratulating and acknowledging milestones in co-workers’ lives and careers.
Every mistake or failure is an opportunity to learn, grow, and share. Focus on accountability and resolution rather than accusation and blame. Whether the failure stems from an external source or is caused by an individual’s or team’s actions, focus your energy and creativity first on solving the problem, then on learning from it, then on preventing it from happening again. When we celebrate our failures and share our learnings from them, everyone grows.
Our industry and company do not look the same as they did two years ago and will not look the same two years from now. We need to be prepared for change. We need to embrace change and direct the changes in a smart way.
Managers set high expectations for their team. Managers create a supportive work environment and react to employees’ personal needs with flexibility and understanding. Managers are able to manage more easily when employees are self-motivated to help clients, proactively improve Fractional CISO processes, and deepen their cybersecurity expertise. When an underperforming employee has not responded successfully to coaching, we must move on quickly.
Great employees are the cornerstone of Fractional CISO. It is every employee’s duty to ensure that we are hiring candidates that have the intellectual capability, a growth mindset, and a cultural fit with the company. We must thoroughly vet candidates such that entry-level employees will have a 75% chance of success and senior candidates will have a 90% chance of success. When we have an open position, we must move aggressively to fill the role. We should not allow delay in the hiring process that causes us to miss out on a great candidate.
Great employees are the cornerstone of Fractional CISO. It is every employee’s duty to ensure that we are hiring candidates that have the intellectual capability, a growth mindset, and a cultural fit with the company. We must thoroughly vet candidates such that entry-level employees will have a 75% chance of success and senior candidates will have a 90% chance of success. When we have an open position, we must move aggressively to fill the role. We should not allow delay in the hiring process that causes us to miss out on a great candidate.
Every employee should take great vacations (as defined by the employee, not the company). Employees should expect that their minds will be work-free while they are enjoying their time off. It is the vacationing employee’s responsibility to set themselves up for success by providing a comprehensive transition plan for their time away. It is the rest of the team’s job to take on the work while our co-workers are enjoying their vacation. We love seeing photos and hearing about your trip when you return.
A 40-plus-year career can be a grind. We spend more time at work than on most other activities. We should aim to make work fun. We should enjoy working with clients. We should do fun things with co-workers. We should look to ways to improve our work environment so that things are just a little more fun.
Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.
To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!
Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.
Learn: