The role of the chief information security officer (CISO) is complex and, much like cyber security itself, rapidly changing. In many ways, the CISO job is unrecognizable from what it once was; 86 percent of CISOs say their role has changed so much since they started, it’s almost a different role. Once a deeply technical and security function-focused discipline, modern security leaders must bring so much more to the table. Cyber security is now critical to business success – and it’s the CISO’s responsibility to not only ensure data and systems are protected from ever-changing threats, but that security is designed, built and implemented for business enablement.
This requires a skillset that is both diverse and unique, and while some specific intricacies can differ from role to role. Cyber Security Hub spoke to several CISOs who all agree that the following six skills are crucial for success.
CISOs must have business acumen and understanding
Unlikely to have been high on the CISO skill requirements list 10 years ago, business acumen and understanding are now integral components of the job. In a recent Cyber Security Hub poll, 43 percent of respondents voted for business acumen as the most important skill for today’s CISOs. “The modern CISO needs to be a business leader before anything else, demonstrating how its activity and initiatives bring value to the business beyond the remit of security,” says Guillaume Ehny, CISO at digital bank Kroo.
The security industry has long been vocal about security leaders not being seen as true executive members, lacking representation at board level. This has finally started to change – for example, new US Securities and Exchange Commission (SEC) rules require cyber expertise in board level positions with a lack of knowhow potentially coming under scrutiny from the SEC and/or shareholders.
“The current common perception about CISOs is their lack of board readiness, being seen as technicians and not suited for business conversations,” Ehny says. This is where modern CISOs need to differentiate themselves by demonstrating an understanding of the business including its goals, challenges, industry and competitors beyond the strict scope of security, he adds. “Executive members are expected to understand, challenge and contribute to any area of the business, even if it’s not directly under their remit, and the modern CISO should put themselves in the position to do so.”
CISOs that fail to achieve this will continue to be viewed as technicians, reporting under an executive and having their discourse translated and potentially diluted, he adds. Keith Price, CISO at National Highways, agrees, warning that without solid business acumen, CISOs will suffer “little to no acceptance” from executive committees and the board. To develop skills in this area, he advises fellow CISOs to ask business peers such as chief financial officers (CFOs) and chief operation officers (COOs) to act as mentors, to “take business classes even if just day long modules” and to volunteer for non-security projects.
CISOs must be effective communicators and storytellers
Another vital skill for modern CISO’s is the ability to communicate a “technical” subject effectively and accessibly. “CISOs develop and lead complex security programs that have an impact on all aspects of an organization. To implement security effectively they must be able to communicate with all company divisions and personnel levels,” says Dave Stapleton, CISO at ProcessUnity. This communication includes everything from inspiring and guiding their own team, to fostering a security-conscious culture across the organization, to effectively managing security-related crises, he adds.
Effective leaders tailor their communication approach to secure the required buy-in from each audience, and the CISO must follow suit, says Nick Percoco, CSO at global digital asset exchange Kraken. “For example, a CISO will use powers of persuasion among the c-suite to advocate for resources, but also deploy informative and instructive language to educate employees about the cyber risks that face the business.”
At least 50 percent of a CISO’s job is communicating ideas, opportunities, concerns and plans to a wide range of groups, says Ehny. “We are genuine salespersons within our organizations where security is often not on a product or delivery critical path.” Failing this is likely to reinforce the perception of security being the department of “no” and narrow its influence – leaving security playing catch up with the business, he adds.
There are many ways to develop and improve communication skills, and all can be used in parallel, Ehny states. “The best combination is always a blend of theoretical and practical knowledge and experience, with mentorship an obvious option. It could be with experienced CISOs or experienced non-security executives that will provide a different perspective to a situation.” Another way to work on these soft skills is through consumption of relevant literature such as books, magazines, articles, podcasts, webinars and YouTube channels on sales tactics, emotional intelligence, business management and industry trends, he adds.
CISOs must have technical capability and knowhow
While in most circumstances the CISO does not need to be the most technically proficient member of the security team, to make informed decisions, guide their team effectively and maintain credibility, a CISO must understand current cybersecurity threats, defense mechanisms and emerging technologies, Stapleton says. CISOs often engage directly with CIOs and CTOs who are likely to be proficient in various technical domains and to collaborate effectively, the CISO needs to have at least operational familiarity with the technologies being discussed, he adds.
“If you don’t have that technical skill you aren’t prepared to defend your organization – you’ll be in meetings with people and be lost,” concurs Jess Parnell, CISO at cyber security company Centripetal. “Everything is on fire in cyber and you need to know how to triage. Protecting valuable company assets isn’t something to play around with. It’s crucial to have the right skills and background for this role otherwise you put the company at risk.”
Underutilization of existing security solutions, unidentified and untreated technical risks and a lack of effectiveness during an ongoing security incident are all potential ramifications of failing to have enough technical capability and knowhow, says Stapleton.
“This is a tough skill to gain after an individual reaches the role of CISO. A CISO wanting to increase their technical capabilities should look for opportunities to learn from their staff. Volunteer to partner with a security engineer (for example) to learn on the job. Other options may include online training, security certification programs and technical bootcamps offered by local universities,” Stapleton continues.
CISOs must have a learning mindset
As cyber risks and attack vectors are constantly changing, modern CISOs must have a continuous learning mindset so they can adapt to new developments, Percoco says. “Any good CISO spends their time seeking to understand how current known gaps intersect with the evolving threat landscape and how to constantly improve the organization’s security posture in order to mitigate an attack.” Cyber security is a constant game of “cat and mouse” so while remaining at the cutting-edge is imperative for success, having strong awareness of the organization’s current capabilities (or lack of) is critical to remain focused on what matters most, he adds.
This also refers to learning about and understanding the many current and forthcoming cyber security regulations and rules that impact CISOs themselves as well as their organizations, says Lena Smart, CISO at MongoDB. A failure to do so can lead to fines and losing customers, she warns.
For example, the SEC recently announced charges against software company SolarWinds Corporation pits CISO, Timothy G. Brown, over internal control failures relating to allegedly known cyber security risks and vulnerabilities. The SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties and an officer and director bar against Brown.
“Work closely with your legal department and make sure you have a clear understanding of the issues, controls needed and specific requests from each entity,” Smart says.
CISOs must be able to prioritize and balance costs
Security teams are thought of as cost centers and often find themselves forced to operate on less-than-optimal budgets. Prioritization ensures that, even when operating a lean program, a CISO stays aligned with business objectives, effectively allocates resources, addresses the most critical risks and meets internal and external stakeholder expectations, Stapleton says. Getting this wrong can result in wasted time and effort in the security program, reduced budget, unnecessary negative impact on the business and compliance failures, he adds.
“You’re preventing bad things from happening, but something you can’t always measure is how much it can cost,” Parnel says. “You can assess, but you never know the actual cost. Things that don’t happen are hard to turn into tangible savings too and that ultimately affects your budget.” CISOs need to be able to get true security with a limited budget, knowing they must get it right every single time. “If you miss one thing, you’re fired.”
A key element of security program prioritization is alignment with the business, Stapleton says. “A first step to improving this skill is understanding the success criteria of your organization. Think of a SWOT analysis (strengths, weaknesses, opportunities and threats) as a good starting point. With this knowledge in hand, a CISO is equipped to align their program’s priorities with those of the company.”
CISOs must be calm with nerves of steel
Finally, a modern CISO must showcase calmness and “nerves of steel” while decisively executing their predetermined strategies, Percoco says. “Crisis management is common within the position, so being able to maintain a cool and collected manner cannot be overstated.” Others within an organization will look to the CISO for direction during high-pressure incident response scenarios. “For this reason, a CISO must exude confidence in their leadership approach as they deploy a response strategy.”
Parnel agrees, adding that patience and calmness are some of the biggest soft skills a CISO can have. “Ease up on your people; push enough where they don’t up and leave you but allow them down time when things are calm so they can catch their breath.”