You’ve probably heard the phrase “You can’t squeeze blood from a turnip,” before.
The point is that no amount of begging, coercing, pushing, or otherwise coaxing something can yield results if those results simply aren’t possible. Many organizations, however, hand a proverbial turnip to the CISO and expect blood in return.
Executive management or the company board have expectations for the CISO. It’s the job of management—and particularly of the board—to wring every last drop of productivity and potential revenue from the resources available and that includes the CISO. It’s fair for an organization to have high expectations as long as they’re reasonable and attainable expectations.
So let’s start there. You have to ensure you clearly understand what is expected of you as the CISO. What metrics will your performance be measured by? What tasks are you required to accomplish and in what timeframe? How much budget do you have available to dedicate to your tasks? Do you have the right number of employees to accomplish the tasks and do they possess the appropriate skills?
These are all important questions to answer because they impact each other in a sort of Venn diagram—the resulting overlap of which are the reasonable and attainable goals. In and of itself a goal to implement two-factor authentication for all sensitive applications and data access is reasonable. If your organization expects you to achieve that goal with a budget of $100 and/or that the task be accomplished by next Tuesday, however, it’s an entirely different story.
Establish clear expectations with your manager—whoever it is you’ll be answering to. Then assess the resources you have to work with. Then you can start to figure out where the overlap is between what is expected and the resources that are available so you can determine what’s reasonable or attainable.
Making A Case
Next you’ll have to deal with the stuff that falls outside of that overlap. Hopefully most of your expectations will fall within the realm of reasonable and attainable, but inevitably there will be goals that simply can’t be achieved with the resources available. Again—you can’t squeeze blood from a turnip.
Identify the areas that need to be addressed and then figure out what the problem is—or at least which aspect of the problem you believe should be solved. In the example above the goal of implementing two-factor authentication isn’t the problem. The problem is that it can’t be done by next Tuesday and it can’t be done within a $100 budget.
The other side of establishing clear expectations is effective communication. Don’t miss expectations and hope nobody will notice. Be proactive about monitoring tasks and assessing progress and communicate any issues that arise.
When you take the issue to your manager don’t just say “this goal is impossible.” Explain what challenges you face in achieving the goal as expected given the current resources and build a case for why additional resources should be allocated or how the goal should be modified so it can be met as expected.
It's not OK to fail. It is OK, however, to negotiate or modify expectations. Be prepared to let your manager know there’s no blood in the turnip and make a case for how to most effectively achieve the established goals.