
Ask HN: Things to Keep in Mind Reporting Direct to CISO? - 0x01030307
I just got offered a new job.<p>I will report directly to the CISO (2 steps from CEO). I&#x27;ve never reported to someone like this before, and have primarily reported to a mid level manager.<p>What things should I keep in mind?<p>Thanks!
======
cimmanom
High level execs tend to have their attention torn in a million directions at
once. This means that how you communicate with them can be very important.

1\. Always provide context for what it is you’re bringing up and be specific.
“Can we get your sign-off on the Foo project?” isn’t very helpful. This puts
the burden is on them to context-switch, which they’ll almost certainly have
to do in order to grok what you’re talking about. Better would be: “You
probably remember how last month we discussed setting up Foo to protect
against intrusions like the one detected in June against the Bar cluster.
We’re almost done with the project and in order to meet the deadline we just
need you to review and approve the BazQuux by Friday.”

2\. Summarize. You probably could provide a 3-page writeup of the decision
making process that went into choosing a vendor, for instance. Your exec
probably doesn’t have time to read it. Instead, provide a few short bullets:
“We evaluated vendors Foo, Bar, and Baz for the Quux project. Our
recommendation is to use Baz for the following reasons: <insert 3 short
bulleted sentences>. If an alternative is needed, Foo would also satisfy our
critical requirements.” And then just be ready to provide more detail upon
request.

------
motohagiography
At an executive level, knowing about a problem means you are accountable to
resolve it.

Their job is to use their limited human attention and direction to effect
constructive change and hold risk. Notifying them of a problem without a
solution attached is the same as creating a problem for them.

Often the solution will be to make the source of that problem disappear. The
only important things are ones they can do something about by directing or
convening people to solve it.

Their priority is to maintain degrees of freedom in decision making, and
always maintain their leverage in relationships to their stakeholders. You
don't need to understand the details of that as most of it will be invisible
to you, but you do need to understand how your work supports the credibility
of their commitments and doesn't force their decisions.

