3 Hiking Principles That Made Me a Better CISO

When I am not studying the newest cybersecurity threat or preparing an enterprise and its employees for the next inevitable cyberattack, I can be found traipsing through California’s Sierra Nevada or in the depths of Death Valley. It was during these adventures that I developed both my mountain sense and found the quiet solitude to proactively strategize around new and creative security initiatives.

A career in cybersecurity is a never-ending path of trial and error, and to be a true leader in this space, you are expected to have all the right answers – especially when an enterprise finds itself at its most vulnerable, at the hands of a cybercriminal. In response to such dire situations, I’ll share three important realizations I’ve come to during my time outside the office that have ultimately made me a better chief information security officer (CISO).

Turning Mountains Into Hills

Overzealous new mountaineers, backpackers or security practitioners are often found biting off more than they can chew. The combination of the excitement and the desire to get to the top can cause both overestimation of speed and lead to “summit fever.” This combination can quickly lead to fatigue or excessive risk taking – dangerous scenarios for both an adventurer and a CISO.

This situation can happen repeatedly in the cybersecurity industry. Driven by the sense that there’s too much to do and that everything needs fixing immediately, we take on roadmaps that are overly aggressive or that are so narrowly focused that we lose sight of the big picture. This leads to burnout, and the likelihood of missing more risks in the periphery.

As one of my mountain mentors once told me: start out slow, go go go; start out fast, never last. As I’ve grown in my role as a CISO, I have learned how to ensure I am not ushering my team towards failure, but instead, inspiring them to take threats one by one and learn when they need to take a step back and reevaluate the path ahead. It is acceptable to tackle a hill before moving on to a mountain, especially if it means you will be better prepared to take on a more threatening adversary.

Read the Map, Read the Mountain

When planning to climb Telescope Peak (11,043 feet above sea level) from Shorty’s Well in Death Valley (262 feet below sea level) for a total climb of 11,311 feet and more than 40 miles round trip, I spent hours reviewing maps and trip reports, while completing dozens of miles of desert-heat training to prepare. At midnight, under a moonless sky with temperatures still at 85 degrees Fahrenheit, we set out up Hanaupah Canyon. As the day wore on, we covered substantially more distance than we had planned and realized that continuing this trek would have us near the end of our water rations in one of the driest places on Earth. We turned back. Planning is an important part of mountain travel, but the maps and plans are merely representations of what you will experience. You must look around, ask if the actuals are occurring according to plan and, if not, be ready to adjust.

The same approach can be applied to cybersecurity. We are often building plan after plan; however, the ability to adapt rapidly to new realities is critical to success. Equipping a team to be able to handle this churn gracefully is a skill that a CISO must instill in them – especially before a cyberattack hits. Every attack is unique, and what worked for another organization might only cause further damage to your own. The ability to adapt, learn and adjust must be solidly ingrained within a team so they can compare reality to the original plan and make sound and safe cybersecurity decisions.

The Leader Must Not Fall

Improvements in climbing equipment allow for “safer falling” than the old hemp lines of yore; but, for many mountaineers, this remains an important maxim. If you are responsible for a group of climbers and you make bad decisions that result in your injury or death, you expose your entire party to serious risk. Leaders fall for a variety of reasons in the mountains: overconfidence and bravado, lack of consultation with the team, gaps in technical knowledge and so on. All of these are preventable if a leader has developed self-reflection skills and has done an honest inward analysis. Some falls are not preventable; if those end up being the anomaly, you will come out all right more often than not.

This concept maps closely to our role as leaders in cybersecurity. As a CISO, I must always ask myself if I am doing things that are motivated by the mission of the CIA triad (confidentiality, integrity and availability) and in the best interest of my team at all times. Building a cybersecurity program requires compromise, collaboration and negotiation – in summary: politics. On top of that are the realities of being a human – my behaviors, beliefs and ideas all add up to the sum of how I operate in the business.

“Am I executing my duties in the best interest of my people, and demonstrating the ideals that keep us moving?” is a question I am always asking myself. I cannot prevent all falls, but the ones driven by a lack of self-awareness or hubris are never acceptable, as they endanger my team and the mission of keeping our enterprise safe from the next cybersecurity threat.

In the summer of 2020, I huddled with my partner, under a large granite boulder, at 12,500 feet, in the shadow of the most spectacular mountains in California as thunder crashed around us. We had made plans, knew our route, trained and then set out for the summit, but the conditions changed and we turned back. As we headed down through Shepherds Pass, the thought of how these real-life lessons applied to my role as a CISO crystallized in my mind. When we reached camp, I came to understand the relationship between the mountains and the practices I bring to the cybersecurity industry. As an individual, I have brought my mountain adventures to my career and the realization that as a team, we are the sum of our experiences.

I may take inspiration from the mountains, my program manager may form his ideals from his life on a sailboat and my network engineer might find his drive through his experiences as a Marine. A team of diverse thinkers and security practitioners is built on bringing useful personal lessons to the table that can shape our effectiveness and steer us clear of hazards.

Avatar photo

Jack Hamm

Jack manages the Gigamon internal security team — responsible for security operations, security architecture and incident response. He is a hands-on, seasoned operations manager with a focus on quality and process improvement.

jack-hamm has 1 posts and counting.See all posts by jack-hamm