Fractional CISO Fundamentals
Our company culture. These fundamentals guide us to achieve personal and business success. They help us secure ourselves and our clients to create a safer world.
Our company culture. These fundamentals guide us to achieve personal and business success. They help us secure ourselves and our clients to create a safer world.
Ideally, our employee manual would be three words long, “Use Good Judgement.” Most situations would be well handled by using good judgement. Asking for help when you are not sure is using good judgement. When in doubt, act in Fractional CISO’s best interest.
Gong! There is no better sound than that of the gong ringing after the success of a project. Make sure to celebrate life’s and work’s successes by ringing the gong. When in doubt, Ring the gong! Not only is the gong a physical instrument, it is also a metaphor. Make sure to ring the gong by congratulating and acknowledging milestone’s in co-workers’ lives and careers.
Do what you say you are going to do when you say you are going to do it. Be reliable and deliver on your commitments every time. This includes being on time for all phone calls, appointments and meetings. If a commitment can’t be fulfilled, notify others early and agree on a new commitment to be honored.
Speak honestly in a way that moves the action forward. Make clear and direct requests. Say what you mean, and be willing to ask questions, share ideas or raise issues that may cause conflict when it’s necessary for team success. Address issues directly with those who are involved or affected. Don’t say anything about anyone that you wouldn’t say to that person’s face.
Listening is more than simply “not speaking.” Give people your undivided attention. Be present and engaged. Quiet the noise in your head and let go for the need to agree or disagree. Create space for team members to express themselves without judgement. Listen with care and with empathy. Above all, listen to understand.
Create clarity and avoid misunderstandings by discussing expectations upfront. Establish mutually understood objectives and commitments. Where appropriate, confirm your communication by asking others to repeat back their understanding to ensure total clarity and agreement.
Great meetings lead to great results. All meetings should have a meeting owner, published agenda and appropriate attendees. Location or virtual location of the meeting must be in the location field of the meeting.
Meeting owner must exhibit good time management. Toward the end of the meeting, follow up action items should be explicitly agreed to. Written follow up should occur in email or project management system.
We look for ways to constantly improve ourselves, our company and our clients. When we see a client problem, we work to fix it. Even if a client asks for something specific, we should understand what the underlying need is.
We should deliver what the client needs, not just what they ask for. If the problem is systemic, we should either work to resolve it or escalate it so every client and employee can benefit. We give employees lots of freedom, power and information so they can take ownership at Fractional CISO.
Aim to assist. Feedback must be given with positive intent. We do not give feedback when we are frustrated. We do not aim to hurt others. Clearly explain how a specific behavior change will help the individual or company.
Actionable. Feedback must focus on what the recipient can do differently. “Your presentation is undermining its own messages,” is not helpful. “The way you ask the audience for input is resulting in only Americans participating,” is more helpful. “If you can find a way to solicit contributions from other nationalities in the room your presentation will be more powerful,” would be the best. (Follow the 4A feedback guideline. See Receive Great Feedback.)
Appreciate. When you receive feedback, you need to overcome the natural resistance to criticism and instead ask yourself, “How can I show appreciation for this feedback by listening carefully, considering the message with an open mind, and becoming neither defensive nor angry?”
Accept or Discard. Listen and consider feedback provided. You are not required to follow it. Say “thank you” with sincerity. The decision to react to the feedback is entirely up to the recipient. (Follow the 4A feedback guideline. See Give Great Feedback.)
Great employees are the cornerstone of Fractional CISO. It is every employees’ duty to ensure that we are hiring candidates that have the intellectual capability, a growth mindset and will fit into the company culture.
We must thoroughly vet candidates such that entry level employees will have a 60% chance of being successful and more senior candidates have a 80% chance of success. When we have an open position, we must move aggressively to fill the role. We should not allow delay in the hiring process so that we miss out on a great candidate because they take a competing offer.
Life happens. Managers should create a supportive work environment and react to employees’ personal needs with flexibility and understanding. In response, employees should push themselves to be high performers and to grow their capabilities.
When an underperforming employee has not responded successfully to coaching, we must move on quickly. Employees that tried their best but failed should be given a generous severance package to ease the transition. We do not put unsuccessful employees on a plan. It never works and drains the rest of the team.
Business leaders understand dollars and probability. They do not understand technical jargon or ill-defined words. 10% chance of a $5 million loss is much better than “high risk.” High, medium and low don’t mean anything if not defined in a particular context. If you say that low likelihood is a 1% chance or less of occurrence then everyone can be similarly aligned as to what it means.
Use the ISC2 Code of Ethics Canons when attempting to resolve an ethical problem. Remember, clients come first except when society demands that they don’t. Code of Ethics Canons: Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.
“Employees are the product.” Taking care of the employees means that employees feel safe and motivated. In turn they should do a great job taking care of our clients. We should take care of each other.
© 2024 All rights reserved
Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.
To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!
Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.
Learn: