To succeed as a CISO, you need to learn how to manage expectations of employees, customers, business, board… in terms of what security level they can get within the real constraints like resource, time, budget… without destroying usability, user experience, behavior & culture.

Luck finds you faster when you're focused on putting in the work.

Only if I had a penny for every time a vendor said that they are 100% secure, I would be a millionaire. Add NextGen to that, and I'd already be a billionaire. Add AI-enabled to that, and I'd probably become the first trillionaire. Who knows!.

5 ways to become a better CISO:.1. Care about your users.2. Build a non-blame culture.3. Throw away jargons in the bin.4. Understand your business' POV.5. Master the art of comm. & negotiation. What would you add?.

The ability to be resilient and bounce back from adversity is the greatest trait of a successful CISO and leader.

That's a wrap!. If you enjoyed this thread:. 1. Follow me @MonTalksCyber for more of these.2. RT the tweet below to share this thread with your audience.

Great communication is:. - Tailored to the audience.- Relevant to the stakeholders.- Timely and accurate to their needs. Otherwise you are just spamming them. Here you can read the 7 lessons in details (with real CISO stories):.

7. Communicate, repeat & say it one more time.Ca. 13 years ago, I had a meeting with a CEO. Instead of going through a pentest report, I shared a story. 99% would've read the report verbatim. Instead, communicate in different ways. Anticipate questions. Address them proactively.

6. Figures Support, Story Sells.I have pitched a 1000 times to top management and boards of multiple corporations of different sizes. I got the outcome I wanted 9 out of 10 times, not because I used powerpoint or stats, but because I went in with a strong story.

5. It Takes A Village - Build One.No one can whistle a symphony alone. It always takes a village. It’s your responsibility as a security leader to be the orchestrator that brings that village together and to create a symphony. There is no one-person CISO team.

4. All Measures Put Together Does Not Equate Zero Risk.We know that 100% security doesn’t exist. However, the bigger fallacy is that “if you put in all the controls it will lead to zero risk”. There is no such thing as zero risk.

3. Your No. 1 Job as a Security Leader is to 'Negotiate'.This took me years to learn, something that I learnt the hard way. Security leadership may be 5 % tech, 5% risk management but it’s a whopping 90% negotiation on a day to day basis.

2. Credibility Matters But Don’t Be “The Expert”.Credibility is built on trust, common values and strong relationships. However, on the flip side of it, you can overdo it by being “The Expert”, by thinking you know it all, or by feeling that you need to have all the answers.

1. Who Knows You Matters More Than What You Know.Building relationships is literally the no. 1 step to making an impact in your organization. How do you do that? Make yourself visible, approachable and open to feedback.

Being a first-time CISO is hard!.Everything takes 2x time and 3x making mistakes (eventually learnt the hard way). But you don't have to. 7 lessons I wish I knew before my first CISO gig to help first-time security leaders keep moving forward and succeed! 🧵👇.

As a CISO, more than 90% of your job is expectations management and negotiation. Not every battle is worth it. Save your time and energy for the battles worth it. Knowing what is worth negotiating is even more important than knowing how to negotiate. Pick your battles wisely.

Hot take: If you want to be a successful security leader, get comfortable with taking and understanding criticism. You want your stakeholders and your team poke holes in your ideas and solutions faster than cyberattackers can.

Unpopular opinion: AI-enabled is NOT the solution to everything.

A fact: Past performance or history is not a reliable indicator or metric for when will you face a cyberattack (next).

A crisis management document or a business continuity plan lying in your (virtual) drawer is not going to protect you from a cyberattack.

Cybersecurity mostly struggles with 1 of 5 issues:. - They don’t understand customer's problems.- They don't understand business' POV.- They don't care enough about users.- They go in armed with jargons.- They overcomplicate tech. Fix these and you've built far better security.