Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

September 2018
A woman recounts her surprising rise to the role of CISO, and provides insight into what one needs to succeed.
By David Hechler
IF THERE EVER WAS A WOMAN you’d think was going to have a hard time making her way here in the field of cybersecurity, it would be Sali Osman. Women have not exactly been welcomed with open arms by men in tech. And there were other prejudices Osman might have expected to confront. She was not born in the United States, and she is a minority several times over. She was born in the northern part of Sudan, and even there she was from a minority group. She is Nubian. She is also Muslim. And she is black.
     Yet, she has no complaints. She has held important information security jobs at companies that ranged from GE Capital to Saudi Aramco. Sometimes she had the job title of chief information security officer (CISO), sometimes she didn’t. Sometimes she had the responsibilities without the title. These days she is a governance fellow at NACD , an independent director on several boards, and a cybersecurity adviser to companies and government agencies.
     How has she overcome potential obstacles? She is intelligent, confident, skilled and not easily deterred. From an early age, she was trilingual in Arabic, French and English, which has certainly helped in the internet age. And far from looking for slights, she has a tendency to overlook them. Or simply shrug them off. She attributes much of her success to what she learned from her father.
     Her father, Abdel-Wahab Osman, headed the engineering department of the Abu Dhabi police. It was in Abu Dhabi that Osman and her three sisters were educated in their early years.

Coding at 12
The intellectual challenges began early as well. “My childhood was a constant journey of proving myself,” Osman recalls. And her father’s opinion was often her proving ground.
     “I started coding when I was 12,” she says, adding, “I’ve always been a techie.” Her father encouraged her, but he also pushed her to strive for more. “My father was the type of person who would say, ‘Oh, good job! What else can you do?’ So I was always in the position of having to excel in everything my boy peers did, but I had to do it better.”
It was always about achievement. “My father was very critical. And he would never, ever give any excuses or accept any,” she continues. “And that made me color-blind to discrimination.” Unless someone came up to her and said, “We’re not giving you this position because you’re a woman,” she would assume that discrimination had nothing to do with her failure to secure a job.
     She recalls only two experiences that even she has to admit were examples of discrimination. One was in Egypt, where she went to college after she left Abu Dhabi. Osman was able to enter the Arab Academy for Science, Technology and Maritime Transport in Alexandria two years early, at the age of 16, because she’d earned a Cambridge Certificate (the equivalent of a high school diploma). A lover of boating, she’d planned to pursue a career in the maritime industry—until school officials told her that only boys were allowed to earn a maritime degree. Though she was disappointed at the time, it was that prohibition that led her to pursue a career in information security, which in retrospect she believes was a better choice and led to a better life with her husband and two children.

A Clear Instance of Prejudice
The other example was a job offer she received in the United States a number of years ago. The company asked her to come into their office to fill out some paperwork to make it official. When she arrived and identified herself, the woman across the counter seemed taken aback. “Are you sure you’re Sali Osman?” she asked. “Yes, I’m Sali,” Osman replied. The woman asked for an ID and took it to show a colleague in the back. After several minutes, she finally reappeared. “I’m sorry, that job has been filled,” she said. As she recounted the story, Osman laughed at the transparency of the lie.
     But these were aberrations. From the outset, she found it easy to get a job—even when she had to get one quickly. Her first venture into the U.S. job market was in 2000, when she found that she had to secure an internship with a U.S. company as part of her master’s program in computer systems at the City University of Seattle.  Shortly after she applied, she received multiple offers—but for full-time, paying jobs, not internships. She explained what she was applying for, and took the first internship offer that came back. It was from GE.
     A decade later, she returned to GE, taking a job at GE Capital, where she rose to the position of senior vice president, IT security audit. It was probably the best in-house job she’s ever had, she says, given the prestige of the firm and the authority that accompanied the word “audit.” During the nearly four years she stayed there, she had regular access to the board, she says.
     But in a sense, Osman’s career continued to be a “constant journey of proving myself.” And improving herself. In addition to her master’s in computer systems, she earned three advanced credentials: Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP). She also completed all work for a Ph.D. in biodefense (except the dissertation) at George Mason University.
     And all the while, she was proving herself in the field. She took security officer jobs that were senior manager positions “where they expect you to be involved in the leadership of your technical team. Others would expect you to be more of a board adviser kind of person. What I used to love about it is that, throughout my career, I was leading a great caliber of technical teams and great analysts.” She attributes much of her success to the teams she led. (And her influence as a leader did not stop at work. She has founded and led several community programs in the U.S. and Africa designed to mentor minority students and young professionals interested in cybersecurity.)
     But her career was undoubtedly made more challenging by the path she followed. She had no compunction about jumping from one industry to another, despite the steep learning curve each time she did so. She has worked in finance, broadcast TV, oil and gas, transportation and more. She has worked at publicly traded companies, nonprofits and government entities. This has given her an unusually broad perspective on the world of the CISO.

To Whom Should the CISO Report?
Asked about CISOs’ reporting lines, she recalled some who reported to the chief information officer; others to the chief financial officer, the chief executive officer, the chief risk officer and even the head of compliance. Asked which reporting line she advocates, she says, “I know this sounds like an attorney’s answer that you wouldn’t expect from a techie, and it depends on the industry, but generally speaking, the CISO should not be reporting to a person that he or she has to conduct security assessments on.”
     The potential problem is this, she says: “If the CISO has to report to the CIO, then who is going to be conducting security compliance and policy compliance on all IT projects? What if he finds a red flag?” The bottom line, she maintains, is that “the CISO should not be reporting to the entity or to the department that he or she will end up auditing. So if she’s going to be auditing finance systems, then she should not be reporting to the CFO.” This kind of conflict of interest, she adds, contributes to the regular turnover of CISOs, who often move from one company to another within three years. In her view, the logical reporting line should be to the CEO.
     It’s also important to note who reports to the CISO. Some companies hire directors to assist them. Osman has observed four distinct roles. Some directors are involved in cybersecurity investigations. Others draft and disseminate cybersecurity policies. There are security program managers who work with IT development—digital innovations introduced in the company—making sure that product developers comply with security standards. The fourth director’s role involves security and risk assessments. They make sure that these are completed, and they aggregate the results to present to the board.
     What big changes has Osman seen in the CISO role in recent years? Companies now place a premium on CISOs who understand their employers’ businesses and are good communicators—meaning that they are “influential” and “persuasive,” Osman says. And these days, companies are not looking for the kind of broad experience that Osman acquired by exploring multiple industries. Many companies seek candidates with deep experience in their own industry and are reluctant to consider those who come from others. She adds one final observation: CISOs now “have the liability but not the authority.” In many corporate environments, she says, security is an afterthought. It’s not planned in advance, built into the blueprint of IT’s next project. And that’s what makes the CISO’s role so difficult.
     Another challenge is one that will sound all too familiar to general counsel. The CISO may be seen as a cost center with no corresponding returns for the company. Osman repeats the questions that CISOs sometimes field from company higher-ups: “You asked for $6 million. We gave you the $6 million. What did you do with it? How did it bring value or revenue to our company?”

Practicing Persuasive Communication
In anticipation of this question, she developed certain strategies over the years. She began to do what some general counsel have also learned to do: She found ways to explain how her cost center contributed to the cause. She kept track of new clients, and tried to learn why they’d chosen her company. Sometimes there were surveys that asked whether the company’s security practices were an important incentive for the new client. She kept track of that data, and when she saw numbers rising, she made sure to praise management, pointing out that their wise investments in security had paid dividends in boosting business.
     She was practicing what she preached about the importance of persuasive communication. “Your challenge is to prove that you are just like all the other sales people,” she says. This is the CISO’s new playbook.
     Another chapter in that playbook should be devoted to getting on the same page as the law department. Osman says that she’s a big believer in vetting documents with the company’s lawyers. It makes sense to ensure that the contracts you’re using or the policies you’re disseminating pass muster. But she knows others in cybersecurity who view the two domains as distant and distinct. Or at least they did until recently. “I think the GDPR was an eye-opener for a lot of companies,” she says. Some companies suddenly realized that they had to hire a data protection officer because it was mandated for them in the EU’s General Data Protection Regulation. The new regulation may present an opportunity for the CISO and GC to forge an alliance.
     CISOs would also benefit, Osman says, from communication with their boards of directors. And vice versa. It’s been a revelation to advise directors, she emphasizes. Her impression was that many boards have directors with legal expertise along with experience in risk management. The reality, she found, was “not really.” Or not the kind that could help them confidently navigate the challenges presented by cybersecurity. Some of the issues that boards have found themselves discussing, like the internet of things, are complex and beyond their ability to assess without help. That’s why they needed outside advice. And that’s “a good beginning,” Osman notes. But many would benefit from recruiting directors with experience in the law, risk management and audits, she adds. 
     While she’s describing her wish list, Osman returns to her big one. “I would like to see the gap between liability and authority get smaller”—meaning the potential liability that CISOs face compared to the power they wield. When there’s a data breach at a company, the person held responsible is usually the CISO, Osman points out—even if an employee was involved in some way, as the victim of a phishing attack. Why? “Because they expect the CISO to protect the data.” And that’s cybersecurity’s bottom line.
An Invitation to our Cybersecurity Working Group
As you may have heard, CyberInsecurity and In The House are teaming up to co-chair a Cybersecurity Working Group on the second Thursday of each month. It’s a free interactive video event that begins with a brief presentation by a special guest designed to kick off a lively conversation. Sali Osman (who is featured above and has been a chief information security officer) will address the following topic: How to bridge the gap between the CISO and the legal department. She encourages you to bring your comments and questions.
     Ms. Osman will also repeat her talk before another group at 12:30, so feel free to join us at
either time. Here are the links to join the conversation:
Thursday, September 13: 10:00 a.m / 12:30PM