The New CISO Podcast: Landing a Seat in the C-Suite

In this episode of The New CISO, Steve is joined by Mike Woodson, Director of Information Security and Privacy at Sonesta International Hotel Corporation, to discuss the risks and rewards of being a CISO. Starting out in law enforcement and cybercrime investigation, Mike now applies his police mindset to cybersecurity leadership. With his varied experiences in mind, he shares how his unique background makes him a well-equipped CISO.

Varied skills make you unique and valuable

Mike shareshow he applies his police investigative skills to the cybersecurity field, saying that his law enforcement experience taught him how to ask the right questions to understand what he’s dealing with during a threat. He understands that his varied skill set is a unique asset to the CISO job; it helps him get to the root of problems. 

An exciting job in Indonesia

When asked about his favorite job, Mike shares how much he enjoyed his time working for the Indonesian government. He worked with various global agencies investigating cyber crimes, which allowed him to make a difference and meet impressive people. Mike describes, “I was able to see progress and developing economies, worked with the different police departments, and made a difference by seeing them learn, and teaching and advising them. I had the opportunity to develop laws, work with various legal communities, and go before the parliament in Indonesia. It was fascinating.”

Life can surprise you — embrace adventure

Mike’s advice to his younger self is to never settle. Mike mentions that things don’t always go as planned, but he took the opportunities that came to him. “Be adventurous and spontaneous and you’ll be okay,” he advises. “That’s what I did. I did not plan to go to Indonesia for three years. I did not plan to be a CISO of one of the largest transit systems. And in my current role, I didn’t plan on even being here. It just happened.” 

Mentors can make all the difference

Mike discusses how having mentors impacted his career path, stating, “In terms of guidance, I was fortunate. I had some great mentors. I still have them. I surround myself with mentors who helped me. One example: his name is Peter Smith, and he took me under his wing. When I came out of college, he gave me my first job. He taught me how to sell.” 

When going for a new role, be both interviewer and interviewee 

When it comes to CISO interviews, Mike says it’s important to be yourself and take the interview as it comes. Ultimately, you have to focus on being dynamic and asking probing questions, he says. You have to “look before you leap.” Mike advises, “You can prep but also listen and interact with the interviewer. Don’t be the driver, let the conversation drive itself.”

Mike emphasizes the importance of asking questions in an interview, “A lot of people don’t probe and ask questions about what happened to the previous CISO. In some of the roles that I’ve had, I should have asked some more probing questions before I took it on. What your role is also gives you a perspective of how serious the organization’s going to take security and take your role.”

Mike provides some questions to think about when interviewing:

• Why am I here? 
• Why are we having this conversation? 
• Why did this role become available?

Why such high CISO turnover?

Mike shares his insights on why some CISOs leave a position: If someone in this role is being treated as an afterthought by higher-ups, it can easily lead to dissatisfaction. For such a high-pressure job with crucial responsibilities, it’s essential to be taken seriously by management and paid appropriately, he says. Mike stresses the importance of CISOs being a part of the C-suite, saying, “Security should not be an afterthought in any organization. Especially now that you’re doing business, using platform computing, cloud, and technologies, the risk is high. The CISO isn’t just this person that you should sit in the corner and call when you need them, they need to understand the business itself. And so it’s important now that the rise of the CISO has a seat at the table in the C-suite.

“The other part is finance. You’re taking on responsibility and you are the executive responsible for keeping this place, cybersecurity, and everything that comes with it. Compensation is very important. That causes a person to pivot and leap when they’re not getting a bonus.”

A new CISO should have a 90-day plan

Steve asks Mike how new CISOs can be proactive post-hire. To Mike, a CISO is a person who looks, listens, and leans into his work.“I always like to come in the door with a 90-day plan,” he says. “This is subject to be adjusted and also revisited and updated as we go along as I get to know the inventory in the organization. You always want to come in with that 90-day plan and build relationships. Listen to people, sit down, and take them to coffee. Know the business, the meaning of the business, and the business alignment.” 

Mike provides tips for reaching out to people within your organization, “I send them an email introduction. Then, get an opportunity to introduce yourself, and ask for 15 to 20 minutes of their time, whenever works for them. In this meeting, you can say ‘I’d like to talk about the business, how it’s going, and the attributes. I want to know about you and I want you to know about me. I appreciate you giving me the time and your calendar, number one, but also for doing the job that you do.’”

Incidentally, Steve has a blog post on 5 things CISOs should achieve in their first 90 days.

For even more insights, listen to the podcast or read the transcript.