Hacking It as a CISO: Advice for Security Leadership

A security leader shares tips for adopting a CISO mindset, creating risk management strategies, and selling infosec to IT and executives.

Modern security leaders find themselves at the crossroads between business and technology, selling the importance of security to all levels of an organization while helping them maintain efficiency, create a risk management strategy, and prepare for the inevitability of a cyberattack.
This idea of selling information security is the area where security leaders struggle most, said Peter Keenan, CISO of a financial services company, in a DEF CON talk. As security practitioners transition from roles as technical analysts or engineers into leadership positions, they learn the challenge of driving security through a business without control over employees performance.
Information security at its core is influence without authority, he said, and its more involved than convincing executives to invest in new technologies. Security leadership may feel like a lot of top-down selling, convincing the board and CEO that youre doing well, but leadership also means conveying the importance of security to people across all levels of the business.
If you actually want to fix security at an organization, you have to sell it from the bottom up, Keenan said. Its the people on the ground, the people at eye level who are actually doing the things that will make you more or less secure, and you have to convince them that this is the right thing to do, and these are the changes they need to make in their processes to be better.
This requires a different strategy depending on who the CISO is talking to. Consider IT: You may think tech folks all have a similar mindset, he said, but selling security to IT can be a challenge.
ITs goal is getting information to as many people as possible, as quickly and reliably as possible. Their concerns are cost, features, and uptime. Security isnt among their main goals — its adjacent to their goals, and infosec has to convince IT how security can be helpful.
Because people respond better to a story than to data, Keenan suggested a penetration test. Show someone walking through the environment; demonstrate how they could be targeted. This could help in addressing the optimism bias, or the tendency people have to believe theyre less likely to experience a negative event. Nobody thinks theyll be next to get hacked.
If you demonstrate clearly [that] they are capable of making mistakes, theyll be angry at first, but generally if theyre professionals, theyll get over it and want it to be better, he explained. CISOs dont want to bring IT concerns to audit or management unless they absolutely have to.
Selling security to the board is different. Most board members are focused on security now; they know its a risk and they want the CISO to know they care. A key thing to remember here is few of them have technical or cybersecurity backgrounds. In preparation for board meetings, he advised readying answers for four questions theyre likely to ask:
Are we compromised right now? Answer with a high, medium, or low likelihood — be humble — along with why you think this.
How vulnerable are we to compromise? Explain details like who might attack you, what might they target, how theyd get in, and what youve done to counter that.
How are we proactively addressing the next generation of security threats? Here, elaborate on budget, organization influence, and team size.
What is our plan if we get compromised? Review the incident response and cyber-crisis communications plan.
Risky Business: Speaking Executives Language
An area where security leaders can find middle ground, and a key differentiator between sole contributors and leaders in cybersecurity, is risk.
Business leaders understand it, Keenan said. They may not understand your specific technical domain, and they may not understand what a router or a switch is, but they understand the language of risk.
Keenan outlined several terms security leaders should understand before risk conversations. Risk reduction — or ensuring systems are patched and users trained — is one. Theres always a chance a patch didnt work or a user didnt reboot after it was applied, but the overall risk will be lower. He spoke to risk acceptance, a concept technical pros struggle with. If theres a 10% chance a website will get hacked, but itll only be up 30 days, the business may decide to risk it.
It makes our heads explode, but absolutely, thats their call, he added. The CISOs job is to identify, quantify, and report a risk; its the CEOs job to accept it.
Security leaders must understand risk appetite, or the amount of risk a business is willing to take on. Everyone has a different tolerance level: Financial services is usually more risk-averse; tech firms and startups are more risk-favorable and take chances. There is no numeric value here, he said, and most people will have a different definition for it. A CISO will have to chat with a lot of people, learn their risk appetite, and communicate it back to senior leadership.
Because everyone has a different view of risk, the CISO has to consolidate their viewpoints into a calculable risk level — whether someone is low, medium, or high risk. It helps to create a lexicon that brings everyone onto the same page and builds a common understanding of risk; if an incident occurs, having this framework will get everyone on the same level.
An effective way to mitigate risk is to build a team to help you manage it. Keenan advised his audience to build a diverse team with a range of backgrounds and experiences. The more viewpoints you have on your team, the better youre going to be, he said. In order to effectively manage risk, the CISO and their team must understand it from every angle.
These perspectives can inform the companys cyber-risk profile, which should include the likelihood of getting attacked, frequency of security incidents, who may target you, and the impact of a potential incident. This profile should also include external viewpoints from peers and law enforcement, and it should be updated over time as processes are adjusted.
Businesses are in a race with todays cybercriminals, Keenan emphasized, and their strategy should plan for continuously investing more in security training and awareness. Security hygiene should be a top priority in protecting the business, from patching critical vulnerabilities to ensuring frequent backups and phishing tests, to protect from likely types of attacks. People talk a lot about advanced persistent threats and sophisticated threats, but most dont need to worry about them.
Chances are, youre going to get owned by a mediocre ransomware crew, he said.
Related Content:
400+ Qualcomm Chip Vulnerabilities Threaten Millions of Android Phones
7 Tips for Effective Deception
Top 10 Cyber Incident Response Mistakes and How to Avoid Them
The Threat from the Internet—and What Your Organization Can Do About It

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hacking It as a CISO: Advice for Security Leadership