[BreachExchange] A CISO For The 2020s – More Than Just a Dashboard Driver

[Destry Winant]

https://www.infosecurity-magazine.com/opinions/ciso-2020s-dashboard/

As the senior security role inside many corporations continues its
inexorable elevation away from front-line defense, many practitioners
see their roles gravitating to a more strategic position. Today’s
contemporary CISO is no longer defined by days strapped to a SIEM,
tracking threat intel feeds or making sure technical hygiene is
maintained. A far broader skillset is now required.

As risk posture is increasingly entwined with company value, the job
has become as much about people and process as technology. The
‘unicorn’ security person sought by many boards now, is someone who
understands how to put cybersecurity into a wider business context.
Those with the ability to make strategic decisions founded in the
commercial imperative of the organizations they work for, are highly
sought after.

This, of course, doesn’t just mean being a hard-nosed economist, a
sound technical understanding is obviously still at the heart of the
day job. However, now more than ever it is about being able to take a
far more rounded view of all the elements required to minimize risk.

One of the primary factors in delivering an effective security posture
is the ability to oversee human assets. While hardware and software
form a digital battleground upon which the all-important risk
calculation is played out, the deployment and management of people is
fast becoming the all-important factor for dictating how successfully
this war is waged.

This has been a gradual industry change. However, with the sudden
fragmenting of the workforce, many CISOs are being forced to update
their human resources playbook to reflect teams who, for the most
part, are now scattered in bedrooms and kitchens across the globe.

Some interesting challenges arise here. First and foremost, how do
security leaders encourage the necessary rapport with those they
manage, while remote? All of a sudden, the comfortable blanket of
meeting rooms, face-to-face chats, watercooler moments and evenings in
the pub has been whipped away. Many fear this will sap the
interpersonal relationships that motivate and bind the people they
manage. A by-product of such a situation is a reduction in cross-team
working, leading to more siloes, and a gradual strangling of
productivity.

The CISO who excels in 2020 is one who adapts to this situation and
finds innovative new ways to collaborate and build relationships with
their charges on digital platforms, and in other creative ways.

As much of a security issue as they create, cloud-based collaborative
tools can be a huge driver for shared working and a bonding tool. A
failure for a CISO embrace such platforms may be the undoing of some
as younger, more digitally savvy, colleagues may be waiting in the
wings. Staying relevant as the world changes is key.

The broader issue of geographical distance also risks manifesting as a
talent problem for CISOs. Hungry to learn and cultivate their skills,
career development is still crucial to many in the security team.
Today’s senior leader needs to ensure the legacy way of doing this,
typically physical training in person, is updated to reflect the world
of mass home working.

The same goes for the initiatives larger companies undertake to
develop security talent from within. The agile CISO needs to innovate,
finding ways for pushing people into in-house infosec teams through
programs of evangelization, all while remote.

Once talent has been identified – thought also needs to be given to
the onboarding process. After expending resources hiring or creating
staff internally, a solid initiation program while remote is key to
avoiding the kind of cultural awkwardness that could arise from
bringing new people into the team while remote. As everyone knows,
first impressions last.

The underlying answer to many of these problems lies in creating a
culture which truly embraces the new world of work. This is more than
merely accepting it is OK to work from home but removing the stigma
entirely. To do this, CISOs need to lead from the front and extol the
virtues of flexible working, such as exercise breaks, time with
friends and family – while at the same time adopting a pragmatic
approach to performance. Finding a balance between productivity and
flexibility is key. It may even help address some of the burnout
endemic in the industry.

Acceptance of these macro level changes is not something the CISO
should be doing in isolation. Across the entire C-Suite, many are
coming round to the idea that returning to the office is not a binary
choice and a blended office/home hybrid will become the norm. In fact,
management teams are celebrating the momentum created by their
organization’s ability to embrace change and drive innovation and are
weighing up which ‘emergency measures’ need to be made permanent. Many
have the possibility of driving huge unexpected efficiencies.

The CISO of 2020 is one who is aware of all this and is willing to
innovate. Someone who is prepared to listen to the business context
and be agile. Historically, the job has been defined by technological
innovation.

However, a similar mindset must now be taken to driving change in the
people and processes they manage. This year may have been equal parts
unexpected and unsettling, however it also presents huge opportunities
for the brave.