ArchiveOODA Original

A Global CISO’s Ten Rules for Success

Neal Pollard is an OODA Network member and is the Global CISO at UBS.  He recently posted his 10 rules for being a successful CISO on LinkedIn and gave us permission to share them here.  It is one of the best top 10 lists we’ve seen.

“As CISO at UBS, I’ve been fortunate not only to have smart, collaborative teammates in Group Technology and across UBS, but also to belong to a group of collaborative fellow CISOs in the financial service and other industries. They’ve always been ready and generous with advice and the benefit of their experiences. I think it’s important that the public understand how much this informal collaborative approach improves cybersecurity. Many have shared their overall observations of what works and what doesn’t, often in lists. To contribute and add my observations, here are 10 rules I’ve accumulated thus far, for being an effective CISO.

  1. Simplify.
  2. The threat is human.  Plan accordingly.
  3. Distinguish security from compliance – they’re different, though mutually supportive.
  4. Instrument everything you can – networks, hosts, apps, users, and sensitive data.
  5. Don’t trust controls, users, third parties, computers, or the internet.
  6. Hire into your staff technologists, operators, risk/compliance specialists, auditors, lawyers, and diplomats.
  7. Bridge the difference between a cost center and profit center.  Understand what the business wants to accomplish and develop a way to preserve and extend the digital value they deliver.
  8. When challenged by competing priorities, re-read what’s written on the company HQS lobby wall.
  9. Culture is a powerful capability.  Build, use, and protect it.
  10. Don’t use 10 rules if 9 will do.

Attribution:  Neal Pollard, CISO at UBS

Additional Insight:

11 Habits of Highly Effective CISOs

Seeking Security Alpha

Cybersecurity Sensemaking

Matt Devost

Matt Devost

Matthew G. Devost is the CEO & Co-Founder of OODA LLC. Matt is a technologist, entrepreneur, and international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber-security issues. Matt co-founded the cyber security consultancy FusionX from 2010-2017. Matt was President & CEO of the Terrorism Research Center/Total Intel from 1996-2009. For a full bio, please see