Over the last couple of years, I’ve written and spoken regularly about the changing roles of the Chief Information Security Officer (CISO). And what better way to demonstrate the many skills the position requires – from the technical to the managerial – than journaling a day’s work. A CISO has to be the strategic partner his or her company needs to manage risk. So for anyone who may be curious, here’s what a day in the life of a CISO looks like.
Hit the ground running
05:46 – Time to get up. Traffic is pretty heavy driving into work, so I have to leave early. As I rise, I check my phone for new emails. Then I check my calendar… it’s going to be a busy day.
06:42 – I pull into Starbucks. I need my venti Pike and a hot morning bun to help me wake-up for the day. As I wait for my coffee, I’m already thinking about my meetings and reading through emails. I learn that we need to triage an issue with Webroot’s SEIM vendor that prevents Webroot employees from accessing certain URLs.I need to speak with the team about tuning our email gateway to stop flagging certain types of email attachments.
07:27 – After making it to the office, I grab another cup of coffee as I walk to my office to check email and read cybersecurity news articles I’ve flagged.
08:10 – After I finish reading email, I prepare for a meeting with my team at 08:30.
- We’re currently transitioning from one fiscal year to the next, so I want to review with my team what we have budgeted and go over projects that have been funded. I want them to have some context about what we will be working on, what security controls we need to mature and I want each of my team members to volunteer to help manage a project with the project manager.
09:46 – Time for a quick meeting with my Deputy. I work in a satellite office in San Diego, but I’ll be at headquarters in Colorado in a couple weeks, and I want to plan some team meetings.
- As a CISO, it’s important that I mentor my team and spend time one-on-one with its leaders. As the role of cybersecurity has matured, much of we do is now woven throughout the business, and I believe it’s critical that my team develops the skills it needs to relate to non-technical stakeholders.
10:31 – As I put together a 3-year strategic roadmap to help my organization achieve its goals (ISO 27001 and GDPR certification), I seek out another point of view from my CISO mentor. Even I need assistance at times.
- As a CISO, you must continually challenge yourself to learn about innovative technologies, new cybersecurity skills, or new management skills. I will never know everything, and I can’t expect my team members to be active in the cybersecurity community and grow their professional skills if I don’t do the same.
11:54 – I’m meeting with a local cybersecurity start-up for lunch. They’ve developed technology for a scenario-based testing platform that evaluates and establishes a risk baseline for an organization. I’ve followed this start-up for several years, and now that they have funding I want to see what changes they’re making to their platform.
- It probably goes without saying that as a CISO, I find new technologies fascinating, and I continuously look to improve the security suite I have built for my organization. It’s my responsibility as the senior security executive for Webroot to be familiar with innovative technologies and to look at new possibilities that will provide strategic value to my company.
13:41 – Reviewing notes from the meeting with my CISO mentor. He provided me with some spider graphs, which we used to annotate a security risk scorecard. I want to use this data to put together a slide deck that outlining the projects we will work on over the next 36 months, split into two phases.
- It’s critical to have a strategic roadmap of projects, backed by a risk scorecard that annotates our current state risk baseline. That way, as my team proceeds to work with our business units to update technologies, improve work processes, and complete ISO compliance requirements, we can watch our risk scorecard change. As the CISO, this will enable me to demonstrate the business value of cybersecurity by reducing our risk exposure and maturing our operations.
15:00 – My team and I are meeting with a threat-hunting vendor, planning to do a “proof of concept” for their technology. We requested a demonstration and a Q&A session.
- I’m continuously working with my team to improve how we view threats to our organization. We want to have a real-time view into how data enters the enterprise, how it is used, how it is accessed, and when and where it exits the organization. Throughout that lifecycle, we want visibility from a single platform to log, alert, analyze, hunt, and remediate when required.
16:47 – After reviewing late emails, I call my boss to check in.
After business hours
18:17 – After fighting through traffic on the way home, I changed to go on a four-mile power walk. As I walk, I use my voice recorder to review meetings and events I had today and lay out ideas for future projects. I also look for articles to review tomorrow, and remind myself to register for the CISO roundtable dinner next week.
20:05 – After having dinner with my family, I retire to my home office to write for an hour. I am in the process of writing my second book for CISOs, and I must dedicate a specific period of time to writing ever day so that I stay on track.
21:32 – Now I’m catching up on Krebs and Cyberwire. This is when I really feel like I’m catching up on what’s going on in the cybersecurity community. I found some articles on interesting technologies, so I shared a couple of them with several of my peers at work.
22:30 – Time to call it a day. Shutting down the office now, and heading upstairs for bed.
01:28 – Woke up with a spontaneous idea to write an article about 24 hours in the life of a CISO. I jot down some ideas to send to our Public Relations department in the morning.
05:56 – The alarm goes off, and I hit the snooze button for ten minutes. Time to roll over, check my email and start another day…
At the end of the day, I’d like to thank Webroot for giving me the opportunity to be that valuable information security partner I talked about earlier. I’d also like to tell those veterans who are transitioning and looking for a new career, the cybersecurity community needs you. We’d be honored if you came to serve with us.