May 4, 2023 By Michelle Greenlee 4 min read

The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise.

Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said, “What makes the cybersecurity field exciting is often the challenge of solving complex high-stakes problems. Continuous learning is, therefore, necessary because threats, technologies and controls keep evolving, so stay curious and keep learning.” Change is the constant that every member of the security team must embrace.

Cyber threats will continue to evolve, and a CISO’s role in building and maintaining cyber defenses cannot be overstated. Regularly reviewing threat intelligence and data from actual attack attempts against the organization can make all the difference. These daily duties are only one aspect of a CISO’s responsibility to their teams and the entire organization.

The responsibilities of a CISO are numerous and affect nearly every department within an organization. As a result, it’s important to revisit essential skills every six months or so to stay sharp.

Larry Jarvis, Iron Mountain SVP CISO, recommends a three-pronged approach which includes “continuing education, staying on top of regulations and standards from industry-leading security bodies and tactically reviewing industry threat intelligence data daily.”

Take advantage of continuing education

Options for continuing education include formal certifications, academic degree programs and independent study of current research from leading security resources. These options can provide a full spectrum of knowledge and understanding of the cyber threat landscape, such as the basics of identifying potential threats and the technical skillset to protect against attacks or minimize damage. By taking advantage of these options, CISOs can gain access to the knowledge and tools to be better prepared and more resilient against potential cyber threats.

Dive deep into regulations

Regulations are becoming increasingly complex. Data privacy and security regulations differ significantly between countries and even between U.S. states. Regulations around data breach notification and response are also beginning to take shape. In addition, industry-specific regulatory requirements further complicate a company’s approach to compliance. It is essential for security leaders to have a thorough understanding of regulations in their industry and in the countries where they operate. Take advantage of industry resources like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Agency (CISA) to develop a deeper understanding of regulations as they apply to your organization.

NIST frameworks provide an all-encompassing approach to cyber security, privacy and the security of the Internet of Things (IoT). NIST’s frameworks have been designed to help organizations protect their data, networks and systems from the ever-evolving threat landscape. While NIST focuses on producing detailed information and guidelines as they relate to mandates for federal agencies, they also provide guidance for other U.S. industries and the public.

CISA is a federal agency tasked with protecting and safeguarding the U.S. critical infrastructure from cyberattacks and malicious actors. CISA provides a wide range of resources, tools and services for both public and private sector organizations in addition to the work they do for federal infrastructure security. Detailed research findings, as well as training and education tools, are also available to public and private industries.

Hone communication skills

Communication skills are as important as technical acumen. As a team leader, the CISO is responsible for listening to and working with their security team to maintain organizational security. How well these teams work together largely depends on the working environment created from the top down. The CISO is responsible for ensuring a safe and healthy work environment for security incident response teams. Employee-manager communications play an essential part in retaining talented staff. Too little or too confusing information is problematic during normal operations but can be especially detrimental in a crisis. Consider how many and what kinds of questions are asked in certain situations. It’s possible you’re not quite conveying what you intended.

However, CISOs don’t only work with their own teams; they often collaborate with stakeholders from across the organization. It’s important to deliver the right message at the right time.

Obudulu recommends paying attention to your audience: “Communication, in general, has to be tailored to the audience for it to be effective. How we communicate, what words we pick, the level of granularity should all depend on the audience. I would add as well — this one is one our security community is somewhat guilty of — the throwing around of security-specific acronyms.”

Assess onboarding and off-boarding processes

Technical teams possess a vast amount of institutional knowledge. Although employee turnover cannot be completely avoided, it can be improved through well-designed onboarding and off-boarding processes. Consider the significant knowledge loss your teams may have experienced after staff departures. Evaluate how effective current knowledge transfer processes are for technology teams. Are new team members receiving the necessary information? Does the team have good documentation practices? Revising documentation and on/off-boarding processes can save everyone time and stress. Documentation created over time is easier to produce than a last-minute write-up right before an employee leaves.

Reassess your approach to security awareness training

The CISO is typically responsible for leading the organization in cybersecurity awareness training. New employees, in particular, are targeted by attackers because they’re unfamiliar with company systems and processes. Consider how effective existing programs are. Employees are often bored and tune out training that is too frequent or too in-depth. A once-per-year basic education approach does not work at all. Security awareness training must be engaging if it is to make an impact. Research increasingly suggests a shift in approach to these educational programs could yield better results.

Back to basics for growth

The role of the CISO is an increasingly important one, requiring a broad range of skills to be successful. It is essential for security leaders to not only have a thorough understanding of the regulations and compliance requirements in their industry but also to hone their communication skills and assess the onboarding and off-boarding processes currently in place. Security leaders should consider regularly re-evaluating their security awareness training programs to ensure the content is engaging and relevant to employees at all levels.

Fostering a willingness to learn and grow in the role demonstrates a commitment to continuous improvement of security and executive teams. By dedicating time to honing their skills and staying abreast of developments in the field, CISOs can help ensure their organization is well-equipped to defend itself against threats and can also foster better working relationships across the board.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today