The job of the chief information security officer (CISO) has changed from that of a security services manager to one that has responsibility across the entire enterprise. It has become a leadership position that requires organized thinking and detail-oriented concentration on a consistent basis. Given the rapid expansion and increasing sophistication of threat actors and cybercriminal tactics, these skills must become second-nature to CISOs through repetition.

Seven Key Priorities for the Modern Security Leader

Some of the security leader’s tasks are project-based, but because the job is ongoing, CISOs need to remain cognizant of a set of priorities that can’t be left to chance. The following seven priorities can help today’s CISOs stay on top of their game and keep their companies secure.

1. Keep Ethics at the Forefront

It may seem obvious that cybersecurity ethics have a significant role in protecting the enterprise from attacks, but CISOs need to be constantly aware of their actions and how they affect the security of their systems. Privacy is closely related to security, and it affects individuals as well as the company. As computing systems and the volumes of data they collect grow, information about people will inevitably become part of the enterprise’s knowledge base.

The specifics about how much personally identifiable information (PII) is maintained versus how much is anonymized should be an ongoing discussion led by the CISO. The security leader must consider ethics at every juncture and in every decision, because while they can’t control every user and every action, the policies and applications they pursue send a message and have actual consequences.

2. Create Relationships With Peers

The CISO’s job is technology-based, but in many ways success depends on relationships. That’s because the most persistent threats rely on human behavior. Most employees don’t consider themselves to be security threats, but the actions they take and the way they use their computing devices can open the door to cyberattacks. It’s critical for security leaders to establish trusting, rather than authoritative, relationships with employees to demonstrate that they aim to protect the enterprise, not to inconvenience users.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

3. Understand the Business Mission

Protecting endpoints, encryption and other generic segments of cybersecurity apply across all businesses, regardless of the specifics of the business itself. By the same token, every business operates differently, and those details can mean huge discrepancies in security concerns. Obvious examples include health care providers that need to abide by Health Insurance Portability and Accountability Act (HIPAA) rules regarding patient information and credit card issuers that must protect customers’ personal data. The CISO needs to connect with executives and dig into the details of the business they are protecting to make certain their assets and sensitive data are covered beyond the basics.

4. Educate Yourself

The IT security landscape is constantly changing. Formal education may help land an IT security job, but it’s incumbent on the individual to seek out sources of information that will keep them up to date and continue their education.

The CISO needs to be a student in his or her field and pursue knowledge as if preparing a master’s thesis. Stakes are high, and intruders are eager to know more about the organizations they target. The task is to keep the gap between the intruders’ efforts and the company’s protection schemes as wide as possible by continuously learning.

5. Look to the Future

CISOs know cyberattacks are inevitable, and that knowledge should drive them to develop a vision that presents a strong and active defense against intrusions. The security leader must take on a visionary approach that drives his or her understanding of the company’s business and the threats that may come against it. In this way, the CISO looks to the future with the same kind of imagination attackers have to deter and defeat them.

6. Take Action

CISOs need to be decisive in their actions. It isn’t enough to manage a think tank that considers intrusions and makes plans to mitigate them. While those efforts are important, the CISO also needs to be involved in systems design, business planning and security-related purchasing.

7. Communicate Regularly and Clearly

Each of the concerns outlined here is important, but they will fail without effective communication. The most important communication the CISO needs to master is exchanging information within the organization. This allows the security leader to gain insights about the business, learn about external and internal threats, and protect company assets. A CISO who effectively communicates his or her plans and knowledge can become an authority to help the company protect itself against the cyberattacks at its doors every day.

A Well-Rounded CISO Makes for Robust Security

The rapid expansion of the threat landscape requires CISOs to venture outside their comfort zones and traditional areas of expertise. In this new age of cognitive systems, connected devices and insider threats, a well-rounded, communicative and visionary security leader is more valuable than ever.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read