The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise.
Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said, “What makes the cybersecurity field exciting is often the challenge of solving complex high-stakes problems. Continuous learning is, therefore, necessary because threats, technologies and controls keep evolving, so stay curious and keep learning.” Change is the constant that every member of the security team must embrace.
Cyber threats will continue to evolve, and a CISO’s role in building and maintaining cyber defenses cannot be overstated. Regularly reviewing threat intelligence and data from actual attack attempts against the organization can make all the difference. These daily duties are only one aspect of a CISO’s responsibility to their teams and the entire organization.
The responsibilities of a CISO are numerous and affect nearly every department within an organization. As a result, it’s important to revisit essential skills every six months or so to stay sharp.
Larry Jarvis, Iron Mountain SVP CISO, recommends a three-pronged approach which includes “continuing education, staying on top of regulations and standards from industry-leading security bodies and tactically reviewing industry threat intelligence data daily.”
Take advantage of continuing education
Options for continuing education include formal certifications, academic degree programs and independent study of current research from leading security resources. These options can provide a full spectrum of knowledge and understanding of the cyber threat landscape, such as the basics of identifying potential threats and the technical skillset to protect against attacks or minimize damage. By taking advantage of these options, CISOs can gain access to the knowledge and tools to be better prepared and more resilient against potential cyber threats.
Dive deep into regulations
Regulations are becoming increasingly complex. Data privacy and security regulations differ significantly between countries and even between U.S. states. Regulations around data breach notification and response are also beginning to take shape. In addition, industry-specific regulatory requirements further complicate a company’s approach to compliance. It is essential for security leaders to have a thorough understanding of regulations in their industry and in the countries where they operate. Take advantage of industry resources like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Agency (CISA) to develop a deeper understanding of regulations as they apply to your organization.
NIST frameworks provide an all-encompassing approach to cyber security, privacy and the security of the Internet of Things (IoT). NIST’s frameworks have been designed to help organizations protect their data, networks and systems from the ever-evolving threat landscape. While NIST focuses on producing detailed information and guidelines as they relate to mandates for federal agencies, they also provide guidance for other U.S. industries and the public.
CISA is a federal agency tasked with protecting and safeguarding the U.S. critical infrastructure from cyberattacks and malicious actors. CISA provides a wide range of resources, tools and services for both public and private sector organizations in addition to the work they do for federal infrastructure security. Detailed research findings, as well as training and education tools, are also available to public and private industries.
Hone communication skills
Communication skills are as important as technical acumen. As a team leader, the CISO is responsible for listening to and working with their security team to maintain organizational security. How well these teams work together largely depends on the working environment created from the top down. The CISO is responsible for ensuring a safe and healthy work environment for security incident response teams. Employee-manager communications play an essential part in retaining talented staff. Too little or too confusing information is problematic during normal operations but can be especially detrimental in a crisis. Consider how many and what kinds of questions are asked in certain situations. It’s possible you’re not quite conveying what you intended.
However, CISOs don’t only work with their own teams; they often collaborate with stakeholders from across the organization. It’s important to deliver the right message at the right time.
Obudulu recommends paying attention to your audience: “Communication, in general, has to be tailored to the audience for it to be effective. How we communicate, what words we pick, the level of granularity should all depend on the audience. I would add as well — this one is one our security community is somewhat guilty of — the throwing around of security-specific acronyms.”
Assess onboarding and off-boarding processes
Technical teams possess a vast amount of institutional knowledge. Although employee turnover cannot be completely avoided, it can be improved through well-designed onboarding and off-boarding processes. Consider the significant knowledge loss your teams may have experienced after staff departures. Evaluate how effective current knowledge transfer processes are for technology teams. Are new team members receiving the necessary information? Does the team have good documentation practices? Revising documentation and on/off-boarding processes can save everyone time and stress. Documentation created over time is easier to produce than a last-minute write-up right before an employee leaves.
Reassess your approach to security awareness training
The CISO is typically responsible for leading the organization in cybersecurity awareness training. New employees, in particular, are targeted by attackers because they’re unfamiliar with company systems and processes. Consider how effective existing programs are. Employees are often bored and tune out training that is too frequent or too in-depth. A once-per-year basic education approach does not work at all. Security awareness training must be engaging if it is to make an impact. Research increasingly suggests a shift in approach to these educational programs could yield better results.
Back to basics for growth
The role of the CISO is an increasingly important one, requiring a broad range of skills to be successful. It is essential for security leaders to not only have a thorough understanding of the regulations and compliance requirements in their industry but also to hone their communication skills and assess the onboarding and off-boarding processes currently in place. Security leaders should consider regularly re-evaluating their security awareness training programs to ensure the content is engaging and relevant to employees at all levels.
Fostering a willingness to learn and grow in the role demonstrates a commitment to continuous improvement of security and executive teams. By dedicating time to honing their skills and staying abreast of developments in the field, CISOs can help ensure their organization is well-equipped to defend itself against threats and can also foster better working relationships across the board.
Freelance Technology Writer