The chief information security officer (CISO) is a relatively new position in the C-suite. It’s about 25 years old or less, depending on whom you ask. But, it is only within the last 10 or so years that the role has taken on greater prominence, likely because of the increase in cyber breaches over the last decade. What does a CISO do, and what skills are required?
Beyond Technology to Soft Skills
CISO roles and responsibilities are not as clear cut as some of the more established C-suite roles. This is in large part due to the overlap (or competition, some may say) with some other, similar roles. Chief security officer, chief information officer and even chief technology officer or chief information risk officer all could be competing roles. To complicate matters, there is no uniform reporting structure for the CISO position across the industry. In some cases the CISO reports directly to the CEO. In others they report to a CIO.
Some of this confusion may come from the idea that the role should be technology-based. In practice, managing information security is not a purely technological problem.
If it isn’t all about tech, what do you need to be a CISO? To what degree are they technology-based? To what degree do they focus on business? On people? Do they require any special CISO soft skills and leadership techniques?
The skills required to be a successful CISO actually require a mixed bag of talents. They range from incident response, business resilience, intuitive thinking, tapping into your people, serving as the trusted advisor and being the voice of reason. That mixed bag of skills makes it a hard job to fill and succeed at.
The Evolution — and Potential Revolution — of the CISO
All those challenges mean lots of responsibility and a big impact. A CISO with the right skills can overhaul how their group can handle both its security and business.
Let’s take a quick look at the general history of the CISO. In the early stage of the title’s existence (~1995-2005), CISOs focused on compliance and it was mostly an IT-related role. The middle stage (2005-2015) brought an increased focus on risk and more work on policies, procedures and frameworks. CISOs could make changes and adoptions for mobile technologies and handle and lead incident response. In the recent stage (2015-today), CISOs handle enforcement and leadership across a variety of platforms. These include, but are not limited to, cloud, mobile, identity and access management, mergers and acquisitions, strategy and business operations.
As the role evolves, the CISO takes on increased responsibility. At least, in theory, they should now have a more prominent role within the organization than they did in the 90s.
So, what does a CISO need to succeed today?
Dispelling the Myth: The CISO Does Not Need to Be a Tech Whiz
It may seem obvious that a CISO needs to be amazing at handling tech, but that’s not always what you need most to be successful in the role. Sure, it matters to be able to talk the talk with your technical staff. You need to understand what they are doing, but that is only one piece of a much larger puzzle.
Remember, this is a leadership role. The CISO needs to have sound knowledge of the field, but doesn’t have to be the ‘hands on keyboard’ type. Success requires you have a larger bag of non-technical skills at hand.
What it Takes to Be a CISO Today
A more refined list of skills a CISO should have include:
- An understanding of business operations and what makes the organization tick.
- Superior communication skills with a variety of stakeholders, especially with the C-suite.
- A strong knowledge of security operations, including changing or even creating them if needed. This goes beyond just virtual security into physical security, as well.
- Program management skills, if for no other reason than that this position has so many moving parts and requires someone who can juggle.
- Cybersecurity knowledge, so they can appropriately manage issues of threat intelligence, identity and access management, data loss and prevention, investigations and forensics and monitoring and automation technology, such as SIEM and SOAR.
- Enough of an IT and security architecture background that they can navigate the financial and maintenance needs of any information security program.
- Disaster recovery and business continuity skills, both for pre- and post- event planning.
- A strong knowledge of governance, risk and compliance issues and even legal issues, which will come in very handy for policy and procedure creation and maintenance.
- Human resource management, which can be very important for education and training.
That’s a pretty impressive and expansive list, but here’s the kicker: You could find somebody who has all these skills, and they might fail in their role if they do not possess a couple more.
It’s About Culture
In a 2019 PwC and Harvard Business Review Analytic Services survey, 63% of respondents said culture will be among the top five responsibilities for the CISO within three years. That means a CISO will probably spend less time on technology-related matters and more time employing their soft skills. First, they’ll need to try to sway the board into making cybersecurity investments. Secondly, they’ll figure out what the best change management techniques will be.
A successful information security program will require two things: buy-in from executive leadership and buy-in from the rest of the team. So, how would you go about getting that buy-in?
When it comes to executive leadership, you need to speak their language. You need to convey how your decisions help the business, and more recently, how they affect risk and resilience. If your approach to winning over these people is a litany of threat intelligence reports, vulnerability assessments and industry warnings, don’t expect to get too far. The key to your success with this stakeholder group rests solely on the CISO’s talent to translate those reports, assessments and warnings into actions. That means you need to show how your work will save the group money (such as through a risk mitigation strategy) or generate a return on investment.
If you can demonstrate tangible value to the executive group, they’ll be more likely to support your efforts.
But winning over the board and the rest of the C-suite is the easier job out of the two buy-in groups. Winning over the rest requires some serious skills in the field of change management.
Getting Buy-In for the CISO and the Plan
Change management is tough. Entire courses and textbooks are devoted to the subject. All types of teams, both small and large, grapple with how to implement it in practice. Here’s the first thing you should know about change management: there’s no foolproof way to do it. So much of it depends on the existing culture and what the intended vision is. But there are a few solid principles that can be followed.
First and foremost, do not get lost in the details out of the gate. With that said, don’t forget planning, either. If you want to make changes, you actually need to know the details. It’s just a matter of when to focus in on them. Have them ready in your back pocket out of the gate, as best you can. Somebody may ask you what those details are, and if you’re not ready, you may find yourself stumbling in a way it’s hard to recover from.
Back Up Words With Actions
But, what should a CISO first focus on to be successful? Well, it has nothing to do with technology. It has everything to do with psychology and emotional intelligence. And most of all: it all starts from the top. If there is some sort of culture change coming down the pipeline, people will be looking to the CISO. If employees see words and not actions, there will be a profound impact; except, that impact won’t be the type the CISO is looking for. Cognitive dissonance is a real thing that can erase your best laid plans.
Put simply, cognitive dissonance means people become uncomfortable when their beliefs don’t match their actions or with the actions they are asked to carry out. That means if, as a leader, you ask someone to do something they do not agree with, expect some form of pushback. This is particularly important in the cybersecurity space because employees are most often the weakest link in the security chain.
The CISO as the Master of Connection
Getting past cognitive dissonance (which can also happen in the board and C-suite; nobody is immune to it) is more than just presenting your reasons for doing something. Once a person enters a state of cognitive dissonance, the only way to break free from it is by going deeper, showing the stakeholder that the new behavior will have a positive effect on both personal growth and the state of the group. Show some value that they can buy into, like savings and growth. In the end, what you are looking for is an emotional connection. This is why it is vital for the CISO to be able to answer the following questions, with specificity:
- What is being done?
- Why it is being done?
- What is the result of not doing it?
- How does it impact the business?
- How does it impact employees?
Therefore, before the CISO makes any security-program related plans, they need to first identify sources of resistance, including their own. They should also keep in mind the four dimensions of emotional intelligence: self-awareness, self-management, social awareness and social management.
How the CISO Becomes the Premier Cybersecurity Executive
Being a good CISO requires talents that go well beyond the technical arena. In this dynamic field, the CISO must be dynamic and diverse in their skills as well. The CISO wears so many hats, and so many more than they would have had even just a few years ago. One-trick ponies need not apply.
Technical skills are important and may get you the job, but if you want to be successful, be ready to go out of your comfort zone.
Remember soft skills, even more so when you have the technical prowess to back them up. If you can employ some of the suggestions above and round out your game in the business and personal arenas, your next job title after CISO may be CEO.