* Umberto Rosti
The CISO or director of information security is a relatively new position on the board and it has only been in the last 10 years that the role has gained more prominence, likely because of the increase in cyber breaches over the past decade.
The CISO's roles and responsibilities are not as clear-cut as some of the more established C-suite roles. This is largely due to the overlap (or competition, some might say) with some other similar roles. The chief security officer, chief information officer, and even chief technology officer or chief information risk officer may be competing roles. To complicate matters, there is no uniform reporting structure for the CISO position across the industry. In some cases, the CISO reports directly to the CEO. In others, they report to a CIO.
Part of this confusion may come from the idea that the role must be technology-based. In practice, information security management is not a purely technological problem. If it's not just about technology, what does it take to be a CISO? To what extent is your role based on technology? How focused are they on the business? In people? Do they require any special CISO skills and leadership skills?
The skills needed to be a successful CISO actually require a mix of talents. They range from incident response, business resilience, intuitive thinking, managing your team, serving as a trusted advisor, and being the voice of reason. This mix of skills makes it a difficult task to complete and succeed.
All these challenges mean a lot of responsibility and a big impact. A CISO with the right skills can review how their group can handle security and business.
As the role evolves, the CISO assumes increasing responsibilities. At least, in theory, they should now have a more prominent role within the organization than in the 1990s.
So what does a CISO need to be successful today? Breaking the Myth: CISO Doesn't Need to Be a Tech Genius
It may seem obvious that a CISO needs to be amazing at handling technology, but that's not always what you need most to succeed in the role. Of course, it's important to be able to chat by talking to your technical team. You need to understand what they're doing, but that's just one piece of a much bigger puzzle.
Remember this is a leadership role. CISO needs to have a good knowledge of the field, but it doesn't need to be hands-on-keyboard. Success requires that you have a large portfolio of non-technical skills at hand.
What It Takes To Be A CISO Today
- An understanding of business operations and what makes the organization work.
- Superior communication skills with a variety of stakeholders, especially with the C-suite.
- A strong knowledge of security operations, including changing or even creating them if necessary. This goes beyond virtual security to physical security as well.
- Program management skills, at least because this position has so many moving parts and requires someone who knows how to juggle.
- Cyber security knowledge so they can properly manage issues of threat intelligence, identity and access management, data loss and prevention, investigations and forensics, and monitoring and automation technology such as SIEM and SOAR.
- Enough of a background in IT architecture and security that they can navigate the financial and maintenance needs of any information security program.
- Disaster recovery and business continuity skills for both pre- and post-event planning.
- A strong knowledge of governance, risk and compliance issues and even legal issues will be very helpful in creating and maintaining policies and procedures.
- Human resource management, which can be very important for education and training.
That's a pretty impressive and extensive list, but here's the kick: you can find someone who has all these skills, and she might fail in her role if she doesn't have a few more.
In a 2019 survey by PwC and Harvard Business Review Analytic Services, 63% of respondents said culture will be among the top five CISO responsibilities in three years. This means that a CISO will likely spend less time on technology-related issues and more time employing their social skills. First, they need to try to convince the board to make cybersecurity investments. Second, they will find out what the best change management techniques will be.
A successful information security program will require two things: buy-in from the executive leadership and buy-in from the rest of the team. So how would you go about getting this membership?
When it comes to executive leadership, you need to speak their language. You need to convey how your decisions help the business and, more recently, how they affect risk and resilience. If your approach to winning over these people is a collection of threat intelligence reports, vulnerability assessments, and industry warnings, don't expect to go too far. The key to your success with this stakeholder group rests solely on CISO's talent for translating these reports, assessments and advisories into action. This means you need to show how your work will save the group money (for example, through a risk mitigation strategy) or generate a return on investment.
If you can demonstrate tangible value to the executive group, they will be more likely to support your efforts.
But winning over the board and the rest of the board is the easier task of the two buy-in groups. Achieving the rest requires some serious skills in the field of change management.
Change management is difficult. Entire courses and textbooks are devoted to the subject. All types of teams, small and large, are engaged in how to implement it in practice. Here's the first thing you should know about change management: There's no foolproof way to do it. Much of this depends on the existing culture and what the intended vision is. But there are some solid principles that can be followed.
First, don't get lost in the details right away. With that being said, don't forget about planning as well. If you want to make changes, you really need to know the details. It's just a matter of when to focus on them. Have them ready in your back pocket, outside the gate, as best you can. Someone may ask you what these details are, and if you are not ready, you may find yourself stumbling in a way that is difficult to recover.
But what should a CISO focus on first to succeed? Well, it has nothing to do with technology. It's all about psychology and emotional intelligence. And above all: everything starts from above. If there is any kind of cultural change taking place, people will turn to CISO. If employees see words and not actions, there will be a profound impact; except, this impact will not be the kind the CISO is looking for. Cognitive dissonance is something real that can erase your best plans.
Simply put, cognitive dissonance means that people are uncomfortable when their beliefs do not match their actions or with the actions they are asked to perform. This means that if, as a leader, you ask someone to do something you don't agree with, expect some kind of resistance. This is particularly important in the cybersecurity space, because employees are often the weakest link in the security chain.
It is essential that the CISO is able to answer the following questions, with specificity:
- What is being done?
- Why is this being done?
- What is the result of not doing this?
- How does this affect the business?
- How does this affect employees?
Therefore, before the CISO makes any plans related to the security program, it must first identify the sources of resistance, including its own. They must also keep in mind the four dimensions of emotional intelligence: self-awareness, self-management, social awareness, and social management.
Being a good CISO requires talent that goes far beyond the technical arena. In this dynamic field, the CISO must be dynamic and diverse in its abilities as well. CISO wears so many hats, and many more than they would have even a few years ago. Technical skills are important and can get you the job, but if you want to succeed, be ready to step out of your comfort zone.
Remember personal skills, even more so when you have the technical ability to back them up. If you can employ some of the above suggestions and complete your game in the business and personal arenas, your next role after CISO might be CEO.
*Umberto Rosti is Chairman of Safeway
THE [SAFEWAY] can help your organization define the necessary controls to protect personal data by validating the level of adherence and maturity to the requirements of the GDPR (General Data Protection Regulation) and LGPD (General Data Protection Law) considering the environment of business to which it is inserted and identifying the main action plans for compliance with regulations, aiming at improvements in the process and gains for the organization.