The chief information security officer (CISO) is a relatively new position in the C-suite. It’s about 25 years old or less, depending on whom you ask. But, it is only within the last 10 or so years that the role has taken on greater prominence, likely because of the increase in cyber breaches over the last decade. What does a CISO do, and what skills are required?

Beyond Technology to Soft Skills

CISO roles and responsibilities are not as clear cut as some of the more established C-suite roles. This is in large part due to the overlap (or competition, some may say) with some other, similar roles. Chief security officer, chief information officer and even chief technology officer or chief information risk officer all could be competing roles. To complicate matters, there is no uniform reporting structure for the CISO position across the industry. In some cases the CISO reports directly to the CEO. In others they report to a CIO.

Some of this confusion may come from the idea that the role should be technology-based. In practice, managing information security is not a purely technological problem. 

If it isn’t all about tech, what do you need to be a CISO? To what degree are they technology-based? To what degree do they focus on business? On people? Do they require any special CISO soft skills and leadership techniques?

The skills required to be a successful CISO actually require a mixed bag of talents. They range from incident response, business resilience, intuitive thinking, tapping into your people, serving as the trusted advisor and being the voice of reason. That mixed bag of skills makes it a hard job to fill and succeed at.

The Evolution — and Potential Revolution — of the CISO

All those challenges mean lots of responsibility and a big impact. A CISO with the right skills can overhaul how their group can handle both its security and business.  

Let’s take a quick look at the general history of the CISO. In the early stage of the title’s existence (~1995-2005), CISOs focused on compliance and it was mostly an IT-related role. The middle stage (2005-2015) brought an increased focus on risk and more work on policies, procedures and frameworks. CISOs could make changes and adoptions for mobile technologies and handle and lead incident response. In the recent stage (2015-today), CISOs handle enforcement and leadership across a variety of platforms. These include, but are not limited to, cloud, mobile, identity and access management, mergers and acquisitions, strategy and business operations.

As the role evolves, the CISO takes on increased responsibility. At least, in theory, they should now have a more prominent role within the organization than they did in the 90s. 

So, what does a CISO need to succeed today?

Dispelling the Myth: The CISO Does Not Need to Be a Tech Whiz

It may seem obvious that a CISO needs to be amazing at handling tech, but that’s not always what you need most to be successful in the role. Sure, it matters to be able to talk the talk with your technical staff. You need to understand what they are doing, but that is only one piece of a much larger puzzle.

Remember, this is a leadership role. The CISO needs to have sound knowledge of the field, but doesn’t have to be the ‘hands on keyboard’ type. Success requires you have a larger bag of non-technical skills at hand. 

What it Takes to Be a CISO Today

 A more refined list of skills a CISO should have include:

  • An understanding of business operations and what makes the organization tick.
  • Superior communication skills with a variety of stakeholders, especially with the C-suite.
  • A strong knowledge of security operations, including changing or even creating them if needed. This goes beyond just virtual security into physical security, as well.
  • Program management skills, if for no other reason than that this position has so many moving parts and requires someone who can juggle.
  • Cybersecurity knowledge, so they can appropriately manage issues of threat intelligence, identity and access management, data loss and prevention, investigations and forensics and monitoring and automation technology, such as SIEM and SOAR.
  • Enough of an IT and security architecture background that they can navigate the financial and maintenance needs of any information security program.
  • Disaster recovery and business continuity skills, both for pre- and post- event planning.
  • A strong knowledge of governance, risk and compliance issues and even legal issues, which will come in very handy for policy and procedure creation and maintenance.
  • Human resource management, which can be very important for education and training.

That’s a pretty impressive and expansive list, but here’s the kicker: You could find somebody who has all these skills, and they might fail in their role if they do not possess a couple more.

It’s About Culture

In a 2019 PwC and Harvard Business Review Analytic Services survey, 63% of respondents said culture will be among the top five responsibilities for the CISO within three years. That means a CISO will probably spend less time on technology-related matters and more time employing their soft skills. First, they’ll need to try to sway the board into making cybersecurity investments. Secondly, they’ll figure out what the best change management techniques will be.

A successful information security program will require two things: buy-in from executive leadership and buy-in from the rest of the team. So, how would you go about getting that buy-in?

When it comes to executive leadership, you need to speak their language. You need to convey how your decisions help the business, and more recently, how they affect risk and resilience. If your approach to winning over these people is a litany of threat intelligence reports, vulnerability assessments and industry warnings, don’t expect to get too far. The key to your success with this stakeholder group rests solely on the CISO’s talent to translate those reports, assessments and warnings into actions. That means you need to show how your work will save the group money (such as through a risk mitigation strategy) or generate a return on investment.

If you can demonstrate tangible value to the executive group, they’ll be more likely to support your efforts.

But winning over the board and the rest of the C-suite is the easier job out of the two buy-in groups. Winning over the rest requires some serious skills in the field of change management.

Getting Buy-In for the CISO and the Plan

Change management is tough. Entire courses and textbooks are devoted to the subject. All types of teams, both small and large, grapple with how to implement it in practice. Here’s the first thing you should know about change management: there’s no foolproof way to do it. So much of it depends on the existing culture and what the intended vision is. But there are a few solid principles that can be followed. 

First and foremost, do not get lost in the details out of the gate. With that said, don’t forget planning, either. If you want to make changes, you actually need to know the details. It’s just a matter of when to focus in on them. Have them ready in your back pocket out of the gate, as best you can. Somebody may ask you what those details are, and if you’re not ready, you may find yourself stumbling in a way it’s hard to recover from. 

Back Up Words With Actions

But, what should a CISO first focus on to be successful? Well, it has nothing to do with technology. It has everything to do with psychology and emotional intelligence. And most of all: it all starts from the top. If there is some sort of culture change coming down the pipeline, people will be looking to the CISO. If employees see words and not actions, there will be a profound impact; except, that impact won’t be the type the CISO is looking for. Cognitive dissonance is a real thing that can erase your best laid plans.

Put simply, cognitive dissonance means people become uncomfortable when their beliefs don’t match their actions or with the actions they are asked to carry out. That means if, as a leader, you ask someone to do something they do not agree with, expect some form of pushback. This is particularly important in the cybersecurity space because employees are most often the weakest link in the security chain.

The CISO as the Master of Connection

Getting past cognitive dissonance (which can also happen in the board and C-suite; nobody is immune to it) is more than just presenting your reasons for doing something. Once a person enters a state of cognitive dissonance, the only way to break free from it is by going deeper, showing the stakeholder that the new behavior will have a positive effect on both personal growth and the state of the group. Show some value that they can buy into, like savings and growth. In the end, what you are looking for is an emotional connection. This is why it is vital for the CISO to be able to answer the following questions, with specificity:

  • What is being done?
  • Why it is being done?
  • What is the result of not doing it?
  • How does it impact the business?
  • How does it impact employees?

Therefore, before the CISO makes any security-program related plans, they need to first identify sources of resistance, including their own. They should also keep in mind the four dimensions of emotional intelligence: self-awareness, self-management, social awareness and social management. 

How the CISO Becomes the Premier Cybersecurity Executive

Being a good CISO requires talents that go well beyond the technical arena. In this dynamic field, the CISO must be dynamic and diverse in their skills as well. The CISO wears so many hats, and so many more than they would have had even just a few years ago. One-trick ponies need not apply.

Technical skills are important and may get you the job, but if you want to be successful, be ready to go out of your comfort zone. 

Remember soft skills, even more so when you have the technical prowess to back them up. If you can employ some of the suggestions above and round out your game in the business and personal arenas, your next job title after CISO may be CEO. 

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read