Since the creation of the first Chief Information Security Officer (CISO) role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, writes Jake Olcott, with the majority of companies including a cyber security-specific role in their C-Suites.
As cyber security has transitioned from being niche issue to become a mainstream business concern, so the CISO has become more important. Although many CISOs emanate from purely technical backgrounds, it’s fair to say that new challenges have forced them to take on the responsibilities of business leaders.
As a direct result, the most important CISO skills are not necessarily technical in nature. Business skills like collaboration, communication and management are just as critical for CISOs as they aim to reduce cyber risk in what is now an increasingly fraught threat landscape.
On that basis, let’s outline some of the most important CISO skills necessary for 2020 and beyond.
Cyber security is collaborative. The most efficient team of Security Operations Centre analysts in the world cannot prevent incidents if employees in other parts of the organisation are not trained on good security hygiene. CISOs cannot give their teams the resources they need if their Board and fellow executives don’t understand security challenges and allocate the necessary budget.
Shockingly, however, only 22% of companies say that their organisation’s security function is integrated with other business functions.
CISOs in 2020 and beyond will need to build collaboration skills in order to act as ambassadors for the cyber security programme. Communicating security priorities to other departments and across lines of business or distributed workplaces is a challenge, certainly, but gaining their buy-in is essential to maintaining effective security.
CISOs don’t have it easy. 91% of CISOs say they suffer from moderate or high stress, while 27.5% of CISOs state that stress affects their ability to do their jobs. CISO burnout is real, and it can create new security risks as well as personal challenges.
Strange as it might seem, one of the most important skills for CISOs is making sure they don’t become victims of burnout themselves.
One aspect of avoiding burnout is stress management. Exercise, meditation, and other stress-reducing activities can be very helpful. However, personal stress management isn’t going to be enough to stem the burnout crisis. CISOs can also consider advocating for policies in their organisations that reduce the likelihood of job stress, such as workplace wellness programmes or limiting after-hours e-mail notifications.
Increasing employee engagement
CISOs are not the only cyber security professionals at risk of burning out. 65% of Security Operations Centre professionals say stress has caused them to think about quitting.
As the cyber security skills shortage drags on, the most effective CISOs will be the ones who make sure their best employees stay on long-term.
With a 0% industry unemployment rate, the market pressure is on the employer to keep employees happy, not the other way around. That means security leaders must hone their people management skills and keep a finger on the pulse of employee engagement.
There are many techniques for increasing employee engagement. That being so, each CISO will need to figure out what will work best in their own organisation. Some effective techniques include increasing the frequency of employee/manager meetings, giving employees several avenues for giving feedback (including anonymous suggestions, adding more social time to the schedule or hosting company-sponsored parties or group activities and recognising high-performers with awards and prizes.
Communication and reporting
When reporting to the Board, other executives or even third party auditors, CISOs need to make sure they have the messaging exactly right.
One of the most important CISO skills is being able to translate complicated technical concepts into easy-to-understand language. When others can actually wrap their minds around the challenges of the cyber security programme, they’re more likely to buy into it and provide support.
On a basic level, CISOs can improve their communications by avoiding information dumping and scare tactics. Turning in a 100-page report full of metrics the Board doesn’t understand isn’t useful. Similarly, warning of worse case scenarios can backfire when it creates a reactionary approach towards security.
Further, CISOs should take a risk-based approach to cyber security reporting. In practice, that means making sure KPIs contain context about the actual risk posed to the organisation. In addition, CISOs should understand each data point’s impact on larger business KPIs and objectives.
Following a risk-based approach to reporting can help CISOs demonstrate the effectiveness of their programmes, advocate for new initiatives and improve overall security.
Jake Olcott is Vice-President of Government Affairs at BitSight