I am often asked about the importance of mentorship, what value does it provide and has it helped me with my career? Of course, my answer to them is that I am a big proponent of mentorships and yes I actually have several mentors. The formal dictionary definition of a mentor is an “experienced and trusted advisor”. I define it more informally as a sharing of information, life experiences and support from the mentor to the mentee to help them improve their life, career, and spiritual development. With that said, I didn’t always want a mentor, there were times I felt like I didn’t need one but that is when you need someone to talk to the most and give you an honest opinion. In the discussion to follow, I want to talk about five critical skills that I have learned and developed with the help of mentors. I use and teach these skills daily in my career as a CISO.
1. Tenacity In my life, my first mentor was my father
We didn’t always agree with each other but through his guidance I learned the importance of tenacity. This is a critical skill that I have found invaluable, especially when you work in dynamic changing environments where you don’t always control the resources around you. How it applies to being a CISO, there will be times in life when it’s just straight brutal and you will want to give up and change your mind on a strategic decision. My father taught me how to be steadfast in the middle of that storm, reevaluate the available options and then to select a path and continue pushing forward. He has since passed away, but much of his guidance I use today when I mentor my sons and my security teams. To me, he lives on in the people around me that I have been blessed to lead here at Webroot.
2. Time & Resource Management
My first career mentors were assigned to me when I made Chief Petty Officer in the US Navy. As a Chief, we were trained and mentored by more senior Chiefs on how to not only be servant leaders to our divisions, but be creative in managing our time, people, equipment, and programs with limited resources. During this time in my career I was assigned multiple senior professionals as mentors, they were there to help me transition from being a senior technician to my new role; the manager of a 35-person department. In the beginning, I had a hard time learning to manage people. However, through hard work with my mentors, I learned to focus on the positive each person had to offer and looked for roles they could fill that would provide them and our command value. The one crucial skill I learned during this time, that I still use today, is how to build teams around an experience team member. I would provide projects and with a light touch guide them, but allow the more experienced team member a chance to lead their team and only step in when needed for feedback or to change the priority of projects. This provided room for the team to either fail or succeed, so they could grow professionally and be effective.
"There will be times you need assistance and someone to speak to and you should provide the same when a peer requires it"
3. Service Delivery
The next critical skill, I developed after I had retired from the US Navy and transitioned to a career with the Federal Civil Service in support of the US Navy. The command I joined, I would serve there for over six years as a CISO, Deputy-CIO, Privacy Officer and network architect. It was during my time at this organization that my CIO stepped in to mentor me on how to manage cross-functional technical teams and provide services to our 35 different departments. While partnered with this mentor, my boss and CIO Palmer Taskerud, I developed a view that cyber security is actually a service my teams provided to our departments. I began to view these departments as my customers and using the principles of continuous improvement, my team members, and I documented what services the departments required from us for them to be successful. With this information, I upgraded my security program and budget focusing both on providing cyber security as a service tailored to my departments specific business needs. It was one of the first times where I looked beyond a regulatory framework to understand the reality of how cyber security is intertwined in all business processes. This clarity enabled me to provide crucial security services that were actually needed by the organization to meet its strategic business requirements.
4. Risk Management
This lesson and security skill I had been developing for years and it was centered on the view of cyber security as an integral component of enterprise risk management. For the first half of my career I had followed a pretty rigid definition of information security and risk management being separate disciplines that existed in parallel. It was through working with my mentor, friend and co-author Matt Stamper, which changed much of that perception. Matt, and many of my peers in the CISO community, helped me see cyber as part of a business’s overall risk fabric. I began to look at cyber security as a continuous life-cycle process, each step focused on reducing my organizations exposure to risk. This understanding is crucial for today’s CISO, it is critically needed to help that security executive explain the value of an enterprise security program and help the organization understand that the business, not the CISO, owns risk and the CISO is there help the company manage it.
5. Strategic Planning
This last and final life-skill is one that I am still learning today from my mentors. As a CISO, I have a responsibility to understand my organizations risk and technology portfolios and then design a security program that employs the correct amount of technology, controls and policy to mitigate any issues. This is not an easy process, in fact it is another continuous life-cycle of inventory, assessment, scanning, remediation and monitoring. In this life-cycle, the results of the assessment process can be used to create and prioritize a list of controls that are immature and require remediation. This remediation results in a list of projects and it will be on the CISO to acquire resources and champion the value of them to the business. This is an executive skill that CISOs must master and be willing to collaborate with their peers and ask for assistance when needed.
I hope I have provided some insight into the value mentors can provide you as you walk your own path in cyber security. I am fond of saying that “security doesn’t exist in a vacuum, however it will thrive in a community”. I view mentorship as part of that community, there will be times you need assistance and someone to speak to and you should provide the same when a peer requires it. So collaborate with each other, don’t be afraid to ask for help and welcome mentorship.