The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise.

Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said, “What makes the cybersecurity field exciting is often the challenge of solving complex high-stakes problems. Continuous learning is, therefore, necessary because threats, technologies and controls keep evolving, so stay curious and keep learning.” Change is the constant that every member of the security team must embrace.

Cyber threats will continue to evolve, and a CISO’s role in building and maintaining cyber defenses cannot be overstated. Regularly reviewing threat intelligence and data from actual attack attempts against the organization can make all the difference. These daily duties are only one aspect of a CISO’s responsibility to their teams and the entire organization.

The responsibilities of a CISO are numerous and affect nearly every department within an organization. As a result, it’s important to revisit essential skills every six months or so to stay sharp.

Larry Jarvis, Iron Mountain SVP CISO, recommends a three-pronged approach which includes “continuing education, staying on top of regulations and standards from industry-leading security bodies and tactically reviewing industry threat intelligence data daily.”

Take Advantage of Continuing Education

Options for continuing education include formal certifications, academic degree programs and independent study of current research from leading security resources. These options can provide a full spectrum of knowledge and understanding of the cyber threat landscape, such as the basics of identifying potential threats and the technical skillset to protect against attacks or minimize damage. By taking advantage of these options, CISOs can gain access to the knowledge and tools to be better prepared and more resilient against potential cyber threats.

Dive Deep Into Regulations

Regulations are becoming increasingly complex. Data privacy and security regulations differ significantly between countries and even between U.S. states. Regulations around data breach notification and response are also beginning to take shape. In addition, industry-specific regulatory requirements further complicate a company’s approach to compliance. It is essential for security leaders to have a thorough understanding of regulations in their industry and in the countries where they operate. Take advantage of industry resources like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Agency (CISA) to develop a deeper understanding of regulations as they apply to your organization.

NIST frameworks provide an all-encompassing approach to cyber security, privacy and the security of the Internet of Things (IoT). NIST’s frameworks have been designed to help organizations protect their data, networks and systems from the ever-evolving threat landscape. While NIST focuses on producing detailed information and guidelines as they relate to mandates for federal agencies, they also provide guidance for other U.S. industries and the public.

CISA is a federal agency tasked with protecting and safeguarding the U.S. critical infrastructure from cyberattacks and malicious actors. CISA provides a wide range of resources, tools and services for both public and private sector organizations in addition to the work they do for federal infrastructure security. Detailed research findings, as well as training and education tools, are also available to public and private industries.

Hone Communication Skills

Communication skills are as important as technical acumen. As a team leader, the CISO is responsible for listening to and working with their security team to maintain organizational security. How well these teams work together largely depends on the working environment created from the top down. The CISO is responsible for ensuring a safe and healthy work environment for security incident response teams. Employee-manager communications play an essential part in retaining talented staff. Too little or too confusing information is problematic during normal operations but can be especially detrimental in a crisis. Consider how many and what kinds of questions are asked in certain situations. It’s possible you’re not quite conveying what you intended.

However, CISOs don’t only work with their own teams; they often collaborate with stakeholders from across the organization. It’s important to deliver the right message at the right time.

Obudulu recommends paying attention to your audience: “Communication, in general, has to be tailored to the audience for it to be effective. How we communicate, what words we pick, the level of granularity should all depend on the audience. I would add as well — this one is one our security community is somewhat guilty of — the throwing around of security-specific acronyms.”

Assess Onboarding and Off-Boarding Processes

Technical teams possess a vast amount of institutional knowledge. Although employee turnover cannot be completely avoided, it can be improved through well-designed onboarding and off-boarding processes. Consider the significant knowledge loss your teams may have experienced after staff departures. Evaluate how effective current knowledge transfer processes are for technology teams. Are new team members receiving the necessary information? Does the team have good documentation practices? Revising documentation and on/off-boarding processes can save everyone time and stress. Documentation created over time is easier to produce than a last-minute write-up right before an employee leaves.

Reassess Your Approach to Security Awareness Training

The CISO is typically responsible for leading the organization in cybersecurity awareness training. New employees, in particular, are targeted by attackers because they’re unfamiliar with company systems and processes. Consider how effective existing programs are. Employees are often bored and tune out training that is too frequent or too in-depth. A once-per-year basic education approach does not work at all. Security awareness training must be engaging if it is to make an impact. Research increasingly suggests a shift in approach to these educational programs could yield better results.

Back to Basics for Growth

The role of the CISO is an increasingly important one, requiring a broad range of skills to be successful. It is essential for security leaders to not only have a thorough understanding of the regulations and compliance requirements in their industry but also to hone their communication skills and assess the onboarding and off-boarding processes currently in place. Security leaders should consider regularly re-evaluating their security awareness training programs to ensure the content is engaging and relevant to employees at all levels.

Fostering a willingness to learn and grow in the role demonstrates a commitment to continuous improvement of security and executive teams. By dedicating time to honing their skills and staying abreast of developments in the field, CISOs can help ensure their organization is well-equipped to defend itself against threats and can also foster better working relationships across the board.

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis.Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last few…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read