The role is always evolving, but the traits of an effective Chief Information Security Officer are largely unchanging
Studies reveal that post-pandemic, 70% of businesses plan on ramping up their cybersecurity investments. The Chief Information Security Officer (CISO) is at the helm of this transformation and their role is now stronger and more strategic than ever before, given today’s remote workforce, greater regulatory scrutiny and the general environment of panic and uncertainty against a backdrop of trade wars and an economic recession.
CISO’s help navigate businesses through complex cyber risks and play a crucial role in their success. Board members are increasingly concerned about cybersecurity and are looking for a trusted advisor that can help anticipate new cyber risks, adapt to the evolving attack surface, discover innovative solutions to plug security holes and build a cyber resilient organization.
Any CISO pursuing a successful career in cybersecurity should focus on developing the following leadership traits:
Strong cybersecurity problem-solving skills
Rolling out a successful security program requires a CISO to have cybersecurity knowledge built on years of technical expertise and experience. It’s not just about picking the right tools, leaders must also know when to use them. It is not just about hiring the right expertise but knowing enough about respective roles to assess performance. It is about gauging the opportunity a new piece of technology offers and weighing it against potential cyber risks. A CISO must demonstrate strong analytical and problem-solving skills in the wake of real-world challenges.
Superior communication skills
A good CISO must translate complex security topics into a language that can be understood by everyone. Cybersecurity is often confusing and riddled with technical jargon that can be difficult to understand both for employees and upper management. For the board, one must be able to measure, quantify and communicate risk exposure without dwelling too much on operational security metrics. Communication and presentation skills also matter when it comes to securing budgets, rolling out new security programs, responding to security incidents, or building trust and credibility on risk and compliance topics. A CISO must possess the ability to evangelise cybersecurity hygiene to infuse a culture of cybersecurity in the workforce.
A CISO represents the company’s stance on cybersecurity and exerts influence across company stakeholders in order to achieve desired security outcomes. In times of crisis, the CISO must exhibit a take-charge attitude, deal with time-sensitive incidents and take appropriate steps to minimise damage to the business. CISOs provide executive leadership in planning, developing, managing, staffing and supervising all security-related operations, using their vision to implement a robust security strategy.
In-depth knowledge of regulatory requirements
The regulatory environment is inexorably evolving. Businesses that proactively approach compliance navigate these changes with more ease and less stress. CISOs must be fully up to speed with changes in regulations and the latest trends in the industry. Instead of having a knee-jerk response to changes in regulations, a smart CISO will try to stay ahead of the curve and lay foundational steps that secures a longer term position that makes future compliance easier to achieve.
Effective at managing cybersecurity incidents
Security incidents are inevitable. Cybercriminals continue to evolve their techniques and develop more advanced and evasive tactics. Strong CISOs prepare for worst case scenarios and have contingency plans in place for every foreseeable incident. In case of a security event, they will effectively manage staff and tools available at their disposal to minimise disruption and accelerate business recovery.
In the absence of a standard set of industry metrics (for example, a CFO can speak the language of EBITDA) that can be used to measure cybersecurity performance, a CISO must establish a formal metrics program to better understand how the program is tracking. Metrics not only help justify or secure cybersecurity investments but also help compare opportunities with potential risks. A good CISO will often weigh up merits of a new business opportunity or a new piece of technology, or costs associated with failure to comply with a regulation against an organisation’s risk tolerance, and estimate what it will cost to cover properly.
These six CISO attributes are by no means exclusive but rather offer up foundational skills designed to help any CISO deliver better service and improve cybersecurity outcomes. CISOs are often caught up in firefighting and end up serving as gatekeepers. The most successful have an entrepreneurial mind-set, focus on the bigger picture, plan for future contingencies, and blend strategic business goals with effective cybersecurity.