Managing your time, talent and relationships as a CISO


Managing your time, talent and relationships as a CISO

Kermit the Frog once sang “it’s not easy being green” on Sesame Street, expressing a sense of being overlooked and undervalued. When it comes to doing business in 2022, CISOs might often feel the same. Within Deloitte, we are continuously supporting security professionals transitioning into their role as CISO. Here are some of our most important lessons learned.

Written by: Martijn Knuiman, Rico Plomp and Maartje Lavrijssen

Time – Delegate, delegate, delegate

One of the first things we discuss with CISOs in our transition labs, is who are the designated wing-persons on the key priorities. Your team’s top 5 priorities should receive less than 30% of YOUR time. Your job as a CISO is to make your team successful, and you cannot do that by not enabling others to take responsibility and develop themselves. It’s easy to plan yourself with meetings for 120% of your time, but doing the right thing for your team means having the time available to invest in your talent and manage relationships with others outside of the security domain to ensure you actually deliver on your team’s priorities.

Talent – Your team should also consist of talent that provide structure and connect the dots

Of course you need your technical specialists to help you sufficiently manage your security topics amongst identify, protect, detect, respond & recover. However, you also need project managers or business analysts to help you manage your processes such as, for example, agile sprints (if you already added “Sec” to a “DevOps” way of working - DevSecOps) or PDCA responsibilities (e.g. with ISO27001). This is the talent pool that should support you with structure and conversations with the business.

Relationships – Qu'est-ce que c'est? You converse in French where the business only understands English

As highlighted in our survey on the Dutch cyber security landscape, conducted in 2020, it turns out that the struggles of a CISO mostly revolve around business-oriented challenges that are far from technical. It’s obvious that we should limit our attack surface by reducing the amount of Internet facing applications, that we should perform penetration tests on our crown jewels periodically and that role-based access controls should be in place basically everywhere… right? Whilst that might be obvious to you, it isn’t necessarily obvious to others outside of the security domain. Your requirements can be foreign to any business stakeholders if you don’t align with their priorities. The most successful CISOs don’t sit in an ivory tower. They align constantly with their peers in the business entities that make up your company, including Marketing, HR and Finance.

We often refer to our own “four faces of a CISO” framework – each CISO spends some part of their time on being a guardian, technologist, strategist or advisor when it comes to their relationship with others. We see that over 90% of the CISOs lean towards a combination of guardian and technologist – not afraid to protect what they stand for and dive into the nitty-gritty technical discussions on the latest security incident. However, most CISOs get better traction when they are more of a strategist, setting out the path towards long term success, and an advisor to the business. Don’t be afraid to socialize your plans with the development teams, CIO, CTO and everyone else that you pass on your journey!

Communication – Step out of your ivory tower Kermit

Summarizing the above, our experience shows that you should ensure to step out of the technical nitty gritty details, delegate to your team members as much as possible, ensure also non-technical talent (e.g. business analysts) has a place in your team and most important you should step out of your ivory tower. The last recipe to success is communication. You need to be able to sell your story, your priorities, to others. That’s why we often work with CISOs on multiple variants of their story – 30 minutes, 3 minutes and 30 seconds. It helps you deliver a concise, aligned story to the board, your business stakeholders, your team, internal audit, third party vendors and everyone else that crosses your path. Having your story straight allows you to be reliable and consistent to all your business stakeholders.

CISO Transition Labs

As part of our efforts to continuously support security professionals transitioning into their role as CISO, one of the tools we mostly apply is a full day Transition Lab. If meeting face to face is not possible due to COVID, we often split it in two half-days and offer the lab in a digital format. In these lab sessions we create and discuss your top 5 priorities as part of your 180-day plan. Next to that we discuss your time, talent and relationships in the context of your plan and priorities. Where needed, we’ll ensure well-respected Deloitte SME’s on key topics join the conversation and share real world examples and challenges they have seen and solved across the globe.

Our CISO Transition labs have proven to be one of the most successful tools in ensuring newly appointed CISOs find their way and is also often used in discussions with long-term CISOs to re-align on priorities.

Click on the image to open it in a full-size window

For me, participating in a CISO Transition Lab has been both fun and educational. The Lab itself and the report-out provide me with a plan that provides direction, helps me with my CISO-function priorities and offers a guideline for the next steps. In addition, it provides me with implicit subjects and thoughts on my future as a CISO.

                                         - CISO of a multinational organisation -


Furthermore, some CISOs have even asked us to also take their directors and managers through a lab, as they recognize it being a constructive tool to take their security maturity to the next level.

Also interested? Please reach out to our CISO transition lab team.

Did you find this useful?