"CISO Tuesdays": A Day-in-the-Life Collection

Every week the New York Times publishes a snapshot of someone's Sunday routine. This weekly is part performance art (a shocking number of people have routines of stunning virtue usually involving 5 am workouts), part a study in unusual jobs, and partially a character study of artists, activists, and celebrities. While charming, it's often thought-provoking and provoked the thought — why not me? Well, I'm neither charming nor a celebrity, but I do have an unusual job, and one that's often misunderstood, even within my own field. Yet, a series consisting of one story is well, merely a memo, so I've invited a number of friends, colleagues, and thought leaders who occupy the CISO role at various institutions to share a typical day-in-the-life. They're all people I respect and continue to learn from.

No single day can fully represent the range of activities a CISO's job entails, but collectively I hope these paint a fuller picture than is commonly understood. I chose Tuesdays since it's as good a day as any other and part of the mid-week triumvirate (T through Th), so don't read too much into that. Nor is it guaranteed that each essay will be a precise reckoning of a specific Tuesday. Sometimes one gets lucky and a day miraculously opens up for writing and deep work. So consider this a representative Tuesday.

With this introduction on June 29, 2020, I launched the "CISO Tuesdays" series in Medium, with the hope of shedding a little light on the life of a CISO (chief information security officer). All of us who work in higher education share a number of characteristics, such as a sense of service and a commitment to our institutional missions of education and research. As someone who has been a CISO for nearly twenty years, I'm continually struck by what's encompassed by the role. At times it feels like a proxy for the full scope of our institutions. Writing or interpreting policy? Check. Disaster Recovery? Check. Wrestling with nation-states? Check (usually it's checkmate, but I'm trying to be optimistic today). Planning, mentoring, architecting? Check, check, and check. Sometimes I feel like our job description should simply be fill-in-the-blank.

Yet, the more I work with other CISOs, the more I see that our jobs are different in many ways. Some of that stems from the idiosyncratic aspects of our colleges and universities. Some derives from the size, location, or public/private nature of our institutions. But more importantly, despite the consistency of the problems all CISOs face, each of us brings to his or her job a personal intellectual style—that is, a distinct approach to conceptualizing and organizing our jobs and our time. While it's great fun to pontificate about philosophical questions, each of us makes, every day, a thousand small decisions that operationalize philosophy, and I suspect that analyzing those small decisions can be more revealing than debating abstractions. Therein lies the potential value of a day-in-the-life story from a variety of CISOs, especially with some being new to the role and others having been thought leaders in our community for as long as I can remember.

What I've found interesting as the series has continued is both the commonalities (dear lord, is email purely or mostly evil?) and the differences. Leadership styles, learning, managing—with every story, I find myself reflecting on how I organize my own time. I try to mine the pieces for ideas I can adopt and learn from. I find it continuously humbling. So far, fifteen authors from diverse institutions and backgrounds have contributed, and we plan to continue the series for the foreseeable future. Medium reports more than 7,000 views and over 10,000 minutes spent reading the pieces—truly a testament to the writing of our authors. But we can do more. As was pointed out to me by Jack Suess, vice president of IT and CIO at the University of Maryland, Baltimore County: "I think if there is one thing you aren't capturing in the day-in-the-life of CISOs, it is the opportunity to interact with different types of people on campus and touch so many different facets of the university." And he's right: the blessing and the curse of being a CISO is that we're obligated to stick our noses into just about everything. Perhaps if the series hadn't been started within the timeframe of the COVID-19 pandemic, the pieces would reflect more of this diversity of human interaction.

Some themes recur throughout the pieces. Most CISOs (e.g., Rebekah Skiver Thompson) spend part of their time on various exigent matters, such as COVID-19 and remote learning. Others (e.g., Michael Tran Duff) devote part of the day to deliberating on leadership techniques. And almost everyone (e.g., Ed Hudson, Allison Henry) deals with supplier reviews. Many CISOs greet the dawn already up and at 'em, so I have a special place in my heart for Randy Marchany's piece, representing us night owls. Overall, I think this comment by Jodi Ito best captures the feeling of many CISOs: "My job as a CISO is to balance security, privacy, compliance, and accessibility AND to keep everyone happy. Guess what? NOT POSSIBLE!" Still, we love tilting at windmills.

There are many more Tuesdays in our future. Hopefully, this blog post will encourage other higher ed CISOs to drop me a note and get penciled in for a contribution. All the authors have mentioned that they found writing these day-in-the-life pieces to be a challenging but enjoyable way to stretch their mental muscles a bit. As most of us know, the opportunity to participate in the national higher education community is perhaps the single most important avenue for professional and personal growth open to us. I hope "CISO Tuesdays" is seen as one of those opportunities.

---

Michael Corn is Chief Information Security Officer at the University of California, San Diego.