Six Skills CISOs Should Pursue To Elevate Their Role
By Steve Durbin, Managing Director, Information Security Forum, and Forbes Business Council Member
A rapid storm of digital transformation, the shifting sands of compliance and a prolonged drought for employers seeking particular skill sets have all combined to advance the importance of the chief information security officer in recent years. Talented and experienced security professionals have never been in greater demand, and there’s a major opportunity for advancement as all kinds of organizations clamor to secure their services.
This is a varied and challenging role that can have a major impact on the success of the business. CISOs must cope with increasingly distributed workforces and greater regulatory scrutiny, set against a backdrop that includes the looming threat of global recession, trade tensions and general uncertainty. To get the job done effectively and secure adequate budgets, CISOs need to show a deep understanding of business needs, add tangible value and engage with leaders across the organization.
For any CISO pursuing a successful career, I believe the following six skills are crucial:
Communicate clearly.
Any business leader needs the ability to communicate with clarity and get their ideas across, but this skill is particularly important for a CISO. Cybersecurity is rife with jargon and confusing technical issues, so a CISO must be able to explain complex concepts in terms that anyone can understand — from the board to the executive team to the workers on the warehouse floor. Creating a security culture that permeates the entire workforce requires a CISO with the ability not only to explain but also to evangelize on the importance of good security hygiene.
Presentation skills will impact a CISO’s ability to negotiate for budgets, spearhead new initiatives and train other staff. CISOs also need to keep the board and other executives apprised of the emerging threat landscape, new developments in the realm of compliance, and estimates of the potential financial impact of incidents so that they can make informed decisions about risk.
Balance opportunity and risk.
Many businesses have struggled with digital transformation, and there’s a tendency to put too much faith in the potential of technology. A good CISO can weigh the merits of an opportunity against an organization’s risk tolerance and estimate what it will cost to cover properly. The ability to balance the specter of data theft or failure to comply with regulations, with the potential business benefits of a new piece of technology, a fresh project or a change in policy is vital, or security concerns run the risk of holding the business back.
Show leadership.
While a CISO will be responsible for reporting threats to the executive team as they emerge, crisis fatigue is very real, and there will also be time-sensitive incidents that must be dealt with immediately. A great CISO can deal with a security incident correctly and minimize damage to the business. They can also recognize the potential implications of a major threat that needs input from key decision-makers before a course of action can be chosen. Rarer is the wisdom to understand when to act autonomously and when to include others, but this kind of leadership will benefit a business enormously.
Manage incidents effectively.
No matter how strong an organization’s defenses, security incidents are inevitable. What matters is how they are handled. A strong CISO will have plans and contingencies in place for every possible incident. They will effectively manage the tools and staff at their disposal to reduce the disruption and get things back on track as swiftly as possible. They will track incidents in real time, generate clear reports on progress and recommend precise plans to mitigate threats.
Keep on top of regulatory requirements.
As new legislation is passed and regulatory requirements evolve, compliance is an ongoing task without end. CISOs should be fully up to date with the latest developments in their industry and have a clear picture of incoming legislation and any rule changes that may impact the business. What separates a great CISO from a competent one here is the ability to determine which way the wind is blowing and get ahead of the game. Instead of making small incremental changes to keep up with regulatory requirements as they appear, a smart CISO will make foundational changes that secure the longer-term position and make future compliance easier.
Understand technology.
Technical proficiency may have been overvalued to the detriment of some of the other skills highlighted here, but it is still crucial for a CISO to have a good working knowledge of the technology in their business. It’s not enough to pick the right tools; you must know how to configure them. It’s not enough to hire the right people; you must know enough about their jobs to assess their performance. To effectively balance the opportunity that a new piece of technology represents against the potential risk, you must understand it.
This is by no means an exhaustive list of the skills you might expect a great CISO to possess, but these are all abilities that will help any CISO improve and deliver better service to their organization. Many CISOs get caught in fire-fighting situations and cast as gatekeepers, but the most successful and accomplished CISOs focus on the big picture, plan for future opportunities and blend business goals with effective security.
About Steve Durbin
Steve Durbin is the Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. He is a frequent speaker and commentator on technology and security issues.
Steve has served as a Digital 50 advisory committee member in the United States, a body established to improve the talent pool for Fortune 500 boards around cyber security and information governance and he has been ranked as one of the top 10 individuals shaping the way that organizations and leaders approach information security careers. He has also recently been featured on the top 20 most influential list of leaders whose companies have a vision that shapes the conceptual landscape of their respective industries.
Steve is a Chartered Marketer, a Fellow of the Chartered Institute of Marketing and a visiting lecturer at Henley Business School where he speaks on the role of the Board in Cybersecurity.