So what's it like to be a #CISO? I was Acting CISO of a billion-dollar crypto company for three months during the spring bull run, and am currently Deputy CISO. I'm still feeling the burnout. What mistakes did I make? What are my lessons learned? A 🧵 1/x
#infosec #cybersecurity

As a #CISO, the stakes are high. This is not a drill. Your decisions affect the success or failure of the enterprise. Totes no pressure. 2/x

You make a *lot* of decisions as a #CISO. Mission-critical decisions based on too little information. And you make them *fast*. You're not sure what's going on, and you have to make a decision *now*. Got it? Good. 3/x

The cyber domain has so many known unknowns that the ability to reason in the face of unavoidable uncertainty is a key trait a #CISO must have to be successful. 4/x

So how do you deal with the uncertainty? By understanding that you are not "building a wall against hackers" or "preventing a hack," but you are managing risk. 5/x

Side note: Any #cybersecurity professional who tells you they can "prevent hacks" is a fraud. That's like saying you can "prevent cancer"--you can't. You can only reduce the risk with diet, exercise, etc. 6/x

Risk Management, the one class I hated while doing my Masters in Cybersecurity @BerkeleyISchool, turned out to the most useful and practical of them all. Tell me how much cyber risk your business is prepared to carry, and I will tell you how to get it that low. 7/x

So let's talk about management. Security is a process, not a product. That means #cybersecurity is fundamentally a management problem, not a technical one--systems, human and machine, must be modified to reliably operate in a secure way. 8/x

Getting people to do the stuff you need them to do does not have a Linux man page. Security requests can seem counterintuitive, even capricious--employees need to understand *why* these changes are taking place. Training and internal comms become critical to success. 9/x

But no security program can be successful without active buy-in and support from the very top. Carrots and sticks. Ask nicely. Lots of times! You want security-enthusiastic employees. But for those you can't cajole, you must be able to compel with executive writ. 10/x

Which leads us to burnout. Burnout and exhaustion are not the same thing. Exhaustion can be exhilarating! Working hard on something you love and making progress is great. Pushing a rock up a hill that keeps sliding down is such torture it's part of Greek myth. #Sisyphus 11/x

Security is not just another department, like Finance, or HR. #Cybersecurity must be a fully-integrated executive flex, or it will fail. If the CEO doesn't have your back--actively, and loudly--then you will fail as #CISO. 12/x

So how do you cope if you're a #CISO and nobody has your back? Well, you can consider going to work somewhere else. If that's not an option, you need to focus on self-preservation of your mental and physical health. You will only change so much. Accept the rest. 13/x

Being a #CISO is all about reasoning in the face of uncertainty and accepting imperfection. You will never eliminate risk, you can only manage it. These personal qualities are the Zen desiderata of the profession, and the attitude I will bring to my next outing as a CISO. 14/x

Resilience is the goal. For your enterprise, for yourself. Your employer *will* get popped. You *will*, at times, find yourself the internal screeching minority. How you respond to inevitable failure is the test of both a good security program, and yourself as #CISO. 15/x