Having spent the second half of his career as a security advocate, Edward (Ed) Kiledjian knows that security is an essential part of reaching a business’s ultimate goal. He consistently finds, however, that businesses consider security an afterthought, not realizing how important it is that it’s baked into every technology product they offer.
As vice president of information security for Toronto-based OpenText, Kiledjian finds that truly understanding all aspects of business is the key to success as a CISO. Ed recently spoke to The New CISO podcast about recovering from a “bad CISO.”
The benefits of experience
Kiledjian has an interesting perspective on leadership, thanks to being introduced to the qualities of a good leader early in his career. That boss not only served as a good example but also gave Kiledjian some advice that has paid dividends throughout his career.
“I think the core value, what has really driven my success in the last 30 years, has been one single truth,” Kiledjian says. “And that is to deliver more value than the organizations we’re working for expect. And if you deliver that, if you deliver more value than they expect, you’re always going to be successful.”
Bad CISOs, defined
How do you know when your CISO isn’t the best? According to Kiledjian, the first step is to take a look at the CISO’s history with the department. Pay particular attention to what the person has been able to accomplish in the past 24 to 36 months. If the CISO is floundering, it could be that the organization isn’t providing funding and support, which is a sign that they aren’t seen as a business partner. A successful CISO is someone who is seen as bringing value to the organization, and that the leadership team loops in early on in a project.
“And so, they’ll come to you early in the process of a new project,” Kiledjian says. “A new initiative, a new strategy and say, ‘Hey, how can you, Mr. Security guy, help me make this more successful?’ That’s when you know that you’ve gotten a certain level of success within that company.”
The ultimate measure of leadership
Being a good CISO is about more than managing a business’s IT infrastructure. As Kiledjian has found, CISOs need to fully understand how other business processes work. They also need to have a firm grasp of budgeting and human resources management, including hiring, firing, and keeping up team morale.
“My goal, my ultimate measure with employee success, is if an employee leaves my team, whether that’s through promotion or goes to some other company in the future,” Kiledjian says. “If I’ve made them better, if they are better for having worked for me, then I’ve succeeded.”
Bad CISOs aren’t bad people. They simply lack all the complex skills necessary to be effective in the job. In many cases, Kiledjian found, these are highly skilled security technicians who are promoted into the position because of technical competency. But getting the skills necessary to manage teams and train other employees to do their jobs well often takes experience in areas outside of IT.
“Anybody who wants to be a leader in security, I try to create a coaching program from there,” Kiledjian explains. “And I learned this 28 years ago from one of my earliest bosses, who basically took a chance on a young overconfident young kid, put me on a plane, sent me to Hong Kong for two years, to run a global project for an airline there.”
Kiledjian takes his own early experience and uses it to make sure his own employees are prepared to become CISOs later in their own careers. Few things make him happier than getting a call from a former employee, letting him know that because of the help he provided years earlier, that person is now CISO of an organization.
For Kiledjian, the definition of “the new CISO” is one who never stops learning. A constant quest to improve your leadership, technology, and business skills is the best way to prepare for leading a team in the information security field. Long after achieving that goal of being a CISO, a leader should still be on a constant search to learn and improve.