Planning for the Next Generation CISO


Session Insights
Written by Stephanie Arendt

Kirsten Davies

SVP & CISO

The Estée Lauder Companies

JANUARY 2, 2020

It’s no secret that we need more cybersecurity professionals to keep our organizations safe and secure. According to a recent Gartner survey, the effect of the challenge is actually worsening – 61% of organizations said they are struggling to hire security professionals.

What’s even more challenging? Finding the next generation of leadership for the security role.

Kirsten Davies, SVP & CISO, The Estée Lauder Companies challenges peers to take a holistic look at how you’re building the next generation of leaders. Not just about the CISO role, but also your programs, your team, your culture, and your presence inside the organization and the industry.

Uncovering Hidden Talent


To combat the skills gap, CISOs need to change the way they think about talent and where it comes from. Four years ago, Fabrizio Freda, President and CEO, The Estée Lauder Companies, started a reverse mentoring program in order to keep in touch with the latest digital, social and shopping preferences of Millennials and Generation Z audiences.

Now the organization has more than 470 reverse mentors globally, with over 300 senior leaders in 22 countries who are being mentored by the next generation in how they think and operate, what’s important from IT and technology choices, and how the business interacts with its consumers.

For Davies, this approach has been critical to the success in her security function and the greater organization, and security leaders should look to embed programs like this that can bring new voices and people to the table. 

"Having these new types of voices on your leadership team and at your table become critical to not only attracting talent but to retaining talent as you move forward,” advises Davies.

Establishing the Next Gen CISO Team


If you were promoted tomorrow, who would step into your role and backfill the one you’re leaving?

Beyond building a strong bench, this is about mapping the capabilities, needs and future structure of your program and role. To be successful at this, Davies recommends CISOs commit to doing three things:

  1. Capabilities Assessment

Conduct an in-depth assessment of your team to know their skills and abilities. Understand who you have inside your team, if they’re sitting in the right place and if they have had the right training. It also offers insights on talent mobility.

“It’s not about if they fit a certain job profile or job description, but are they actually executing on the mission that I need them to execute on, or would they be better in another role?"

 

  1. Create Structured Opportunities

What gets measured gets done, and a structured mentoring program, sponsorship and/or stretch assignments help ensure that the initiative is sustainable. Davies has built a next generation CISO talent platform: identifying Millennial talent in the organization – not just from the technical or IT side – and creating a shadow leadership team. Going a step further, that team lead sits regularly in her leadership meetings.

“They’re the voice of the next generation of CISO talent. They can also sanity check decisions that are being made. They can provide visibility into how the rest of the team may be thinking.”

 

  1. Mirror and Empower

By ‘mirror,’ Davies means reflecting on the kinds of leadership behaviors and actions that you need from the team. Make sure that you have people on your team who reflect the most important areas of your work. This way, they can act as an extension of the security mission. If you fail to do this, you’re setting yourself up to be stretched way too thin.

“What are you doing right now inside of your own leadership team that’s empowering, enabling and challenging your team to step up to that next level for them?”

Culture & Designing for Scale


Sometimes, in the race to move fast and lock in talent into functions that are needed now, CISOs fail to design for the future and culture falls by the wayside. In order to get efficient, optimized teams, CISOs should:

  • Scale

1. Start with the operating model and what it is that they’re trying to deliver.
2. Overlay that with the skills and capabilities mapping of their people

3. Deliberately structure people inside of those teams so that they’re required to collaborate

  • Culture
    One place to start to change your culture is to change the hiring profile. 

If we’re always hiring for bachelor’s degrees in computer science, with 1-3-5-7 years of experience, we’re never going to solve this problem.”

 

This is also an opportunity to be intentional about who, how and where you hire in order to bring in a wealth of diverse perspectives, from gender identities to educational backgrounds. Davies cited recent conversations she’s had with CISO peers who are looking to bring in sociology majors into their security teams to rethink insider threat programs.

Security teams are faced with so many obstacles, including constant changes, missed family time and long nights. Having a strong and supportive culture that celebrates differences and empowers teams to work through those challenges together are paramount to success.

We need to create an inclusive culture in our industry which says that we’re going to work together to solve these problems, we’re going to celebrate one another’s successes, and we’re going to help one another through these challenges.”

 

Content adapted from the 2019 Global CISO Executive Summit. Special thanks to Kirsten Davies and The Estée Lauder Companies.

by CISOs, for CISOs


 

Join the conversation with peers in your local CISO community.

LEARN MORE