On the importance of a business mind-set:
Charlie Brown: When I first moved into the business, I went to the website to do some research, and our Web filtering software wouldn't let me go to Abercrombie because it identified it as pornographic material. Another thing it wanted to block was "XXXL," which is a size of clothing, so it kept orders from going through.
So one of the insights I would offer is to really understand the markets you're in. Sixty percent of the volume in the garment industry comes out of China and Asia. You can't create a security policy if you don't understand what the great firewall of China is all about or the cultural differences of how people work in Indonesia and Bangladesh. You can't have a data center migration policy if you don't understand people in some countries work Saturdays, don't work Fridays and don't celebrate Christmas.
John Hartmann: If I could change one thing about my career before transitioning into the business, I would have spent more time understanding the inner workings of how the business made money. Every company has a different business model and a different way of being profitable.
[Read more about the business role and value of CSOs]
Understanding that profit model will give you a more balanced perspective around how you make proposals and position important initiatives, whether it's information protection or computer security or business continuity. It will help you think more broadly about what solution should be pursued and how you should implement it in a cost-effective way.
On what "networking" really means:
Scott Blake: What I understand better now--and wish I understood better as CISO--was the importance of networking. I thought I understood it, but not as well as I do now, and the time I spent being a financial adviser was incredibly helpful for that.
Security and IT people tend to be very analytic, and we tend to want to persuade with facts and data. But getting a client to understand what they need to do to secure their financial future is a very emotional thing for them, and the same is true in the information security world. You need to make an analytical connection, but you also need that emotional connection.
If I'd known that when I was a CISO, I would have done a lot more networking and paid a lot more attention to the emotional piece of the case I was trying to make.
On understanding business leaders: