[BreachExchange] Becoming a CISO: 5 Things You Need to Learn for Peak Effectiveness

Mon Apr 19 10:44:26 EDT 2021

https://insights.dice.com/2021/04/19/becoming-a-ciso-5-things-you-need-to-learn-for-peak-effectiveness/

In many organizations, it is the chief information security officer
(CISO) who oversees efforts to fight threats such as data breaches,
ransomware and phishing. In fact, companies with a CISO or chief
security officer (CSO) had stronger cybersecurity training programs,
according to IDG’s 2020 Security Priorities Study.

However, Dave Lewis, global advisory CISO for Cisco’s Duo security
business, notes that the job is primarily a managerial role, so
although a security background is helpful, not all people in this
position have that. In fact, people with a natural talent for looking
at things in a different way can receive training in security,
according to Lewis, who has a degree in archaeology and later began
graduate work in cybersecurity.

While he was studying archaeology, Lewis taught himself to hack into
computers just out of an “innate curiosity,” he says. That drive to
learn served him well. If you are a security professional working up
the ladder or just starting out in tech and want to know how to become
a CISO, here are five things you will need to learn to do.

Communicate Business Risks and Priorities

CISOs must be able to communicate how cyber risks relate to business
risks to executives and board members. As CISOs communicate risks,
they also need to share strategic priorities around cyber resilience,
noted Curtis Simpson, CISO of security firm Armis. Cyber resilience
entails withstanding and recovering from cybersecurity threats.

“CISOs, cyber teams and their partners will not be able to remediate
or mitigate every risk facing the organization,” Simpson said. “Focus
is key, and focus should always be based on risks and exposures that
are most likely to disrupt what matters most to the business.”

The job also involves communicating to external auditors about the
risk to data and intellectual property, Lewis noted: “First and
foremost, you want to be able to be strong in risk management because
as a defender you have a fiduciary responsibility to protect your
organization.”

Manage the Human Element

Lewis said CISOs not only need to know how to keep systems secure but
also easy to use for business professionals. This is what he calls
“managing the human element” for staff that may not be technically
savvy or are working remotely.

“As a security practitioner, especially in the CISO role, you want to
always be cognizant that everything you do is to secure the
organization but not at the cost of slowing down people’s ability to
operate,” Lewis said. He adds that a CISO should “democratize
security” by providing people in areas such as finance and HR with the
intuitive tools they need to work securely.

Master Budgets

During the COVID-19 pandemic, organizations are being especially
careful about allocating funds, so it requires a CISO to act like a
chief financial officer, according to Lewis.

In this role, you should be able to identify the biggest risks to the
organization and map out a budget to address them. To learn the
financial aspects of the job, potential CISOs don’t necessarily need a
financial background, according to Lewis. They could take a course
from a company like Coursera or edX to learn how to manage the
financial parts of leading the security team.

Understand Process Management

A CISO also must know about process management, such as removing or
adding staff to reduce security risks, Lewis said.

“If that is not done in a way that it makes sense, you could really be
exposing your organization to undue risk that could potentially cause
harm,” Lewis said. “You want to make sure that that process is not
only refined and tested, but you have to constantly go back and review
the processes, because things may have changed.”

If an employee leaves in a rage, the CISO must know how to protect
company email networks and financial records from this person, Lewis
said. The CISO should learn automation as part of onboarding and
offboarding, he said. Knowledge of business intelligence applications
would also be helpful in spotting anomalous behavior.

He has used a process management system called ITIL to reduce the risk
to an organization by reviewing the changes that are being made. ITIL
is a framework of practices for delivering IT services.

Think in a Strategic Fashion Instead of a Tactical Approach

A managerial role such as a CISO involves an approach that is more
strategic than tactical, according to Lewis. A mentor taught him the
importance of thinking at a high level rather than concentrating on a
particular tool or security incident.

“It’s very much about changing your way of thinking, looking at a
long-term plan, and then having people with that tactical ability work
for you on your team that can then address the tactical issues,” Lewis
said. “You are there to make sure you’re managing the business of
securing for your organization,  and you have folks that do the
tactical for you.” People conducting tactical tasks such as running
compliance or audits or managing firewalls will need clear direction
from the CISO, he added.

Gaining knowledge in these areas should prepare a future CISO for success.