Becoming a CISO: What skills make a great cybersecurity leader?
The path to becoming a CISO has never been easy, and the recent spotlight on security creates more pressure than ever. Explore just how much has the role of the CISO has changed, and which nontechnical skills are common among today’s most successful cybersecurity leaders.
Any incoming executive feels pressure to make a good impression within their first few months. That pressure rises exponentially when you consider how much the role of the Chief Information Security Officer (CISO) has evolved over recent years. While cyber and risk management expertise remains integral to the security leadership function, there are several skills required of today’s CISOs that may not have fit the traditional mold.
How the Role of the CISO Has Changed
CISOs are still expected to serve their “traditional” functions as a technologist and guardian through managing and protecting their organization’s assets. Recently, however, more focus has been placed on their ability to strategize and advise other stakeholders on the importance of security to the business.
In fact, of the categories in the Gartner® CISO Effectiveness Index—future risk manager, workforce architect, stress navigator and executive influencer—only 12% of those surveyed excelled in all four.
Conducted in 2020, this survey compared the behaviors and traits of top and low performing CISOs amidst perhaps the most challenging and disruptive period in cybersecurity.
Of the factors, there are five differentiating behaviors that separate top-performing CISOs from the bottom:
- Initiate discussions on evolving norms to stay ahead of threats
- Prioritize keeping decision makers aware of current and potential future risks to the enterprise
- Proactively engage in securing emerging technologies
- Have a formal and actionable succession plan
- Define risk appetite through collaboration with senior business decision makers
There’s no foolproof method to navigating your role as a next-generation CISO. While you have the ability to succeed from a technological perspective, the Gartner index also indicates several nontechnical factors that may contribute just as much to success in the role.
Immediately, leaders that are just as focused on their strategic and advisory roles as they are their actual information security strategy plan are more likely to become a top performer. At a more granular level, there are four main skills that today’s CISOs can prioritize to secure their seat at the executive table.
Four Skills of Top-Performing CISOs
Appetite for Innovation
Why is it important? Despite the average enterprise running dozens of security tools, over 75% of CISOs note a lack of skilled resources and effective team structure to support their priorities.
While many characteristics believed to drive CISO effectiveness are myths (more certifications, working at larger organizations, etc.), years of experience isn’t one of them. Still, infrastructures are constantly changing. As such, your approach must adapt accordingly.
You can’t reach your desired state without changing the route of your journey. Sometimes, that requires venturing down the road less traveled. Successful CISOs aren’t afraid to take initiative and become an early adopter if it means improving their security program overall.
The term cyber warfare isn’t used idly — both fields are a case of cat and mouse, with two sides investing in innovative new weapons and tactics to outdo the other.
And just as no army would go up against tanks with muskets, businesses cannot afford to fall behind the latest tools and tactics being deployed by threat actors.Security Magazine
Why is it important? Top-performing CISOs meet with 3x as many non-information technology (IT) stakeholders as they do with those within their function.
“Effective CISOs realize heads of sales, marketing and business unit leaders are now key partners as the use of technology and, subsequently, the incurrence of information risk happens outside of IT at scale.”Gartner, 2020
Building relationships with stakeholders outside of the IT department will require you to find common ground. Traditional incident management metrics alone aren’t enough to effectively communicate risk to non-technical business program leaders. Top-performing CISOs integrate with the business to prevent competing agendas.
Strategic Business Alignment
Why is it important? Initiating conversations about risk in a way that ties directly into the overall business is essential to get the buy-in and support for your security operations initiatives.
Over 90% of CISOs hope to improve the strategic alignment between the security organization and the business. However, 46% of them fear the ability to accomplish that. Oftentimes, that’s because those other than security experts tend to perceive cybersecurity as nothing more than a regulatory compliance or technical exercise.
By pivoting the conversation from security to risk, you’ll be on track to facilitate holistic conversations that concern the entire business. Consider the added context you can provide that will paint a more detailed picture about your current state, and how that compares to your overall risk appetite
Why is it important? In 2020, an average of 50 CVEs (common vulnerabilities and exposures) were published daily. Task overload alone is a daunting challenge for security, operations and IT teams. Top performers, however, are significantly less likely to overload and incur unrealistic expectations.
Today’s CISOs are being pulled in many different directions and collaborating more with non-IT stakeholders. Nevertheless, it’s important to avoid becoming so focused on the bigger picture with C-level executives that you overlook what’s going on in the trenches.
The cybersecurity workforce shortage is a critical challenge for any organization. That said, your people are your most important asset. As a CISO, you play a pivotal role in shaping the future of the cybersecurity workforce. Provide clear directions, but also take the time to observe.
You may not be able to overhaul burdensome systems and processes overnight. Yet, simply showing that you’re listening and focused on workforce and policy development can go a long way when it comes to avoiding burnout.
The Evolution of Cybersecurity
As the cyber landscape continues to evolve, so will CISO position. If you haven’t already, expect to be called upon to shift from a response-driven, preventative program to a strategic, preventive controls-centric strategy. As you continue to sharpen your leadership skills and evolve your work practices, remember to follow that up with transformational programs to keep up with the pace of today’s attack surfaces.