Chief Information Security Officers: The Key Skills for 2020 and Beyond

Jake Olcott

Jake Olcott

Since the creation of the first Chief Information Security Officer (CISO) role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, writes Jake Olcott, with the majority of companies including a cyber security-specific role in their C-Suites.

As cyber security has transitioned from being niche issue to become a mainstream business concern, so the CISO has become more important. Although many CISOs emanate from purely technical backgrounds, it’s fair to say that new challenges have forced them to take on the responsibilities of business leaders.

As a direct result, the most important CISO skills are not necessarily technical in nature. Business skills like collaboration, communication and management are just as critical for CISOs as they aim to reduce cyber risk in what is now an increasingly fraught threat landscape.

On that basis, let’s outline some of the most important CISO skills necessary for 2020 and beyond.

Collaboration

Cyber security is collaborative. The most efficient team of Security Operations Centre analysts in the world cannot prevent incidents if employees in other parts of the organisation are not trained on good security hygiene. CISOs cannot give their teams the resources they need if their Board and fellow executives don’t understand security challenges and allocate the necessary budget.

Shockingly, however, only 22% of companies say that their organisation’s security function is integrated with other business functions.

CISOs in 2020 and beyond will need to build collaboration skills in order to act as ambassadors for the cyber security programme. Communicating security priorities to other departments and across lines of business or distributed workplaces is a challenge, certainly, but gaining their buy-in is essential to maintaining effective security.

Avoiding burnout

CISOs don’t have it easy. 91% of CISOs say they suffer from moderate or high stress, while 27.5% of CISOs state that stress affects their ability to do their jobs. CISO burnout is real, and it can create new security risks as well as personal challenges.

Strange as it might seem, one of the most important skills for CISOs is making sure they don’t become victims of burnout themselves.

One aspect of avoiding burnout is stress management. Exercise, meditation, and other stress-reducing activities can be very helpful. However, personal stress management isn’t going to be enough to stem the burnout crisis. CISOs can also consider advocating for policies in their organisations that reduce the likelihood of job stress, such as workplace wellness programmes or limiting after-hours e-mail notifications.

Increasing employee engagement

CISOs are not the only cyber security professionals at risk of burning out. 65% of Security Operations Centre professionals say stress has caused them to think about quitting.

As the cyber security skills shortage drags on, the most effective CISOs will be the ones who make sure their best employees stay on long-term.

With a 0% industry unemployment rate, the market pressure is on the employer to keep employees happy, not the other way around. That means security leaders must hone their people management skills and keep a finger on the pulse of employee engagement.

There are many techniques for increasing employee engagement. That being so, each CISO will need to figure out what will work best in their own organisation. Some effective techniques include increasing the frequency of employee/manager meetings, giving employees several avenues for giving feedback (including anonymous suggestions, adding more social time to the schedule or hosting company-sponsored parties or group activities and recognising high-performers with awards and prizes.

Communication and reporting

When reporting to the Board, other executives or even third party auditors, CISOs need to make sure they have the messaging exactly right.

One of the most important CISO skills is being able to translate complicated technical concepts into easy-to-understand language. When others can actually wrap their minds around the challenges of the cyber security programme, they’re more likely to buy into it and provide support.

On a basic level, CISOs can improve their communications by avoiding information dumping and scare tactics. Turning in a 100-page report full of metrics the Board doesn’t understand isn’t useful. Similarly, warning of worse case scenarios can backfire when it creates a reactionary approach towards security.

Further, CISOs should take a risk-based approach to cyber security reporting. In practice, that means making sure KPIs contain context about the actual risk posed to the organisation. In addition, CISOs should understand each data point’s impact on larger business KPIs and objectives.

Following a risk-based approach to reporting can help CISOs demonstrate the effectiveness of their programmes, advocate for new initiatives and improve overall security.

Jake Olcott is Vice-President of Government Affairs at BitSight

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts