[BreachExchange] 4 Essential Skills for Modern CISOs to Succeed

[Destry Winant]

https://securityboulevard.com/2019/05/4-essential-skills-for-modern-cisos-to-succeed/

As cyber-risks became a business issue, the role of CISO in an
organization has changed. The modern CISO is now more than just a
department head, responsible for implementation and management of
security controls.

As a C-level executive, their role is now made up of two crucial and
equally important elements. The first is to enable the organization to
achieve its business goals, such as releasing better products faster
than competitors, looking attractive to stockholders and increasing
revenue. The second is to be a cybersecurity pro and minimize the
risks of cyberattacks that could threaten the business.

Getting this balance right requires not only excellent security
expertise and awareness of the latest technology trends, but also a
set of “soft” skills. To help today’s CISOs succeed in their roles,
here are four key skills to focus on.

CISO Soft Skills

Business Acumen

Traditionally, the CISO was responsible for developing a defense plan
based on their company’s IT landscape. This strategy is now
insufficient, and the modern approach needs to better align with the
business vision. That is why almost every CISO job advertised not only
requires detailed IT security knowledge and a list of certifications,
but also a business mindset.

As a result, CISOs cannot dismiss or prohibit a technology that their
business would like to implement. They need to evaluate the risks
associated with it and propose the most secure strategy that will not
impede organizational progress. If staff need to have access to
corporate resources from their devices, the CISO now needs to
implement a BYOD policy on the network.

In the words of one acting CISO, a best practice involves advising
others to become a risk manager as well as offering assistance and
guidance to the business: “Before introducing any new technology in
any department, I conduct meetings with those departments to ensure
that their changes are not going against our security norms. Then we
make the required changes so as to have proper integration with our
network.”

Communication and Presentation Skills

Being an executive involves interacting with the C-suite and the board
of directors. But as very few top managers have a security background,
it can be a challenge to have concerns fully understood by this
audience without using IT jargon.

Although the ability to present complex ideas in an easy-to-understand
manner has long been a vacancy cliché, the skill of translating
cybersecurity language into business terms can bridge this
communication gap. It may also help when it comes to a major headache
facing every CISO: justifying IT security budget.

As the cybersecurity budget is often part of overall IT expenditure,
money can be prioritized for IT projects that demonstrate evident
business profits and ROI. Communication skills, including the ability
to tailor information to a non-technical audience and create strong
arguments, can prove that benefits far outweigh the costs.

Crisis Management Expertise

According to a recent Kaspersky Lab report, 86% of CISOs think
cybersecurity breaches will happen eventually, meaning that businesses
cannot afford to be unprepared. Every office has an evacuation
procedure in case of a fire. Likewise, a company should have a
strategy for when a breach happens, as panic and disorganization can
only worsen the situation.

An action plan is not limited to changing passwords or recovering
systems. To eliminate the attack quickly, it is essential to figure
out who is responsible for certain actions and identify key contacts
in other departments to inform first. These can include legal, PR or
customer success teams, who in turn will be able to take part in
resolving the crisis. If a breach happens, it is essential the CISO
remains aware throughout an incident and becomes a link between
stakeholders. They should coordinate the information security team in
their incident response activities, inform the business and advise on
how to resolve the situation.

Supervisory and Leadership Know-How

With 62% of CISOs agreeing that there is a shortage in cybersecurity
talent, it is becoming difficult to find qualified security
specialists. However, this is just the tip of the iceberg, as a bigger
concern is employee retention. A scarcity of security specialists
means that those in the field have many job opportunities being
offered to them constantly. As one CISO explained: “I’m a manager of
very talented cybersecurity specialists, who are targets of multiple
head hunters.”

The lack of IT security labor force also increases the workloads of
current staff, causing additional concern for security leaders. With a
plethora of projects to always be done, are burnouts as inevitable as
cybercrime?

Avoiding high turnover and low employee morale is now a responsibility
of CISOs. As CISOs have a direct influence on security personnel, they
must possess strong leadership skills. They should work to be a leader
who people can follow, be a mentor who can support a team and be a
motivator that can encourage employees.

Motivation isn’t limited to monetary incentives. It may include
granting more decision-making authority, learning and professional
development possibilities and even positive recognition of one’s hard
work. What works perfectly for one person may not suit another, so to
be an effective manager CISOs must choose the optimal incentive or
source of motivation for everyone on their team.

Conclusion

It’s clear that the CISO’s role is challenging, requiring a unique
combination of soft skills and technical expertise. To be effective, a
CISO must develop a business mindset, effective communications skills
and a broad IT understanding along with strong management and
leadership qualities.

While technical skills previously formed the foundation of this role,
soft skills are key factors of the job today, and mastering these
abilities will help ease the balance of skills needed in the future.
With the rise artificial intelligence-powered defensive tools on the
market that aid the fight against cybercrime, many wonder whether
robots will someday take IT jobs and fully replace humans. The day
might come where machines have better cybersecurity expertise than any
human and be able to solve technical tasks, but if CISOs have advanced
soft skills then their roles will continue to remain a necessity for
businesses in the future.