Suddenly a CISO?! Four Pieces of Transitional Advice

There’s a learned instinct among some security leaders to keep secrets. Security, after all, can be an insular practice. It’s common to feel we know delicate information as stewards of someone else’s safety. Sometimes we do. 

Other times, our secrets are entirely unnecessary. Even worse, they can work against us. 

My name is Sean Zadig. I’m Yahoo’s Chief Information Security Officer (CISO). And I’m an all of a sudden CISO. 

Let me explain. Many CISOs are hired straight into the role. Maybe they were CISOs somewhere else. Maybe they were senior security leaders in another company. 

But, some CISOs — like me — come up through the ranks. 

I've been at Yahoo for nine years. First as a team lead, then senior manager, then director, then senior director, and finally VP —  before becoming the CISO near the start of the pandemic, March 2020.  

It’s a big job. Yahoo is among the most trafficked properties on the Internet. Nearly a billion people interact with our products — News, Sports, Finance, and other mainstays — monthly. 

I attribute much of my success as a CISO to my ability to communicate. 

Indeed, a strong and proactive culture of security communication benefits our business by helping product executives realize their goals for delivering value to our customers. 

The transition between technical security leader and CISO wasn’t easy for me. As such, I want to share some advice I wish someone had shared with me at the onset of my tenure. 

Ignore your Expertise

At the start of my tenure, I already knew a lot about the teams I had built and led during my earlier rise through the organization - E-Crimes and what has become the Advanced Cyber Threats Team (ACTT, for short). I knew less about other parts of the security organization, such as Product Security or Governance Risk and Compliance (GRC). 

That meant I had to spend more time with the groups I knew little about and ignore the ones I knew best. The teams I just spent the past six years building. 

Practically, that means a lot of one-on-one meetings. 

Quarterly, I meet with C-level executives. Monthly, I meet with the executives in charge of Yahoo’s individual lines of business — and, more frequently, with individual engineering leads. 

Weekly, I meet with my boss, the Chief Technology Officer, Aengus McClean.

I also get together for infrequent coffee chats with groups of individual security engineers as a way to learn more about their expertise. 

Default to your Experts

‍Speaking of experts. The Paranoids — Yahoo’s information security organization, which I steward — are a team of true experts. They’re leaders in the field. And I’m super lucky to champion their work.

I’d spent most of my career as an investigator — first with NASA’s Office of Inspector General (OIG) and then inside E-Crimes teams at Google… and, here, at Yahoo. 

That meant when technical and product leaders around the company had questions for the new CISO about other areas of security, I often just said, I don’t know. I’ll find out who does. And I defaulted to the people on our team who knew best. 

The folks that actually run and operate those teams. Not me. (Side Benefit: I learned much about their work from their answers to those questions. Additionally, those experts got great exposure to the company and its leaders.)

Network with Fellow CISOs

The best thing I did early on in my tenure as CISO was building a network, whether in online forums (many closed information-sharing environments), group chats, or in person. (In person was initially challenging, as I became Yahoo’s CISO three weeks after the COVID lockdown began.)

I quickly found we were all facing similar challenges. Those with more experience than others quickly answered questions for me about:

• Organizational design; 
• Interactions with boards of directors; 
• And vendor selection. 

I’ve gotten a lot of mileage around asking fellow CISOs… anything! 

I’ve found I can be helpful in return, either within my areas of strength — incident response, investigations, insider threat, APTs — or, increasingly, by facilitating the sharing of Yahoo’s expertise with their peers at other companies. In security, the rising tide lifts all boats, and sharing our knowledge helps all of us. 

No Secret Squirrels 

Most of a CISO's job is championing their team's impact. Proactive communication has helped me build a coalition for the Paranoids across the company. 

What does that practically mean? Mainly ignoring our collective desire to keep things secret. 

Once I started treating security as a business enabler — driving the same level of transparency and collaboration as marketing… or sales — others (both inside the Paranoids and out) followed suit. 

‍