Why CISOs need to understand the business
While CISOs need technical skills, business skills help them push their team's agenda and get the support and funding they need to protect their company.
When you hear the title CISO, you think of the person in charge of an organization's cyber and data security strategy. A key component of the CISO's role is keeping an organization afloat. A data breach without the necessary guardrails in place, for example, could cause an organization to crumble under the weight of financial and reputational damages without proper planning by the CISO.
Many CISOs, however, struggle to garner support from colleagues, board members and C-level professionals.
"If you're a nerd who can't talk business, they're not going to take you seriously," said Erdal Ozkaya, author of Cybersecurity Leadership Demystified.
In his book, Ozkaya offers tips to CISOs on how to balance the technical and business sides of the CISO role, as well as advice on how to communicate about cybersecurity on a senior and operational level. Guidance on building a successful security team, implementing effective security operation practices, working with HR and creating an incident response plan are also covered.
Here, Ozkaya -- author of 16 infosec and cybersecurity books -- discusses the importance of CISOs understanding business strategies and explains why CISOs need to build relationships with other departments to be successful.
Editor's note: This text was edited for length and clarity.
Who should read your book?
Erdal Ozkaya: The book will benefit people trying to become CISOs and recent newcomers to the role. When I was a security advisor at Microsoft, I met many CISOs who didn't come from the cybersecurity field. They were looking for advice, but there wasn't a single book to explain everything they needed to know. That's what I tried to do in Cybersecurity Leadership Demystified.
In the book, you wrote, 'The security team will need to partner up with other departments within the company to ensure that the CISO … understands all the aspects of the business.' Why is this step so important?
Ozkaya: I'll answer two ways: for people who come from the industry and for people who don't.
People who come from the industry are usually nerds, computer gurus or geeks. They like to program, conduct penetration tests and minimize communication as much as possible. In a C-level position, however, you have to sit down and talk about security with people who don't understand technology. Today's CISOs must understand business and technology.
It's similar for people who come from outside the industry. If you look through LinkedIn, you'll be surprised at how many CISOs previously worked in marketing or product management roles. While these individuals might have business experience, they still need to understand the technology. CISOs must understand the core values of cybersecurity so they can build the right defense mechanisms.
Which departments and teams should CISOs prioritize partnering with?
Ozkaya: CISOs should work with all departments, but not all departments are equal when it comes to cybersecurity. The cleaning department, for example, can't help clean computer viruses. That requires help from the incident response team.
It's not about if, but when you're going to get hacked. Prepare so you can get your business back online as soon as possible. First, work with the incident response team. Second, have a security operations team that can keep an eye on the network. Third, have a red and blue team. These internal ethical hackers help find vulnerabilities. The only difference between the red team and hackers is that the red team will metaphorically break into your house, open your safe and leave a Post-it note saying, 'I used this technique to get into your house, but luckily, I'm a friend, and I just wanted to showcase how easy it is to steal your jewelry.'
Learn about HR's role in cybersecurity in an excerpt from Chapter 4 of Cybersecurity Leadership Demystified by Erdal Ozkaya, published by Packt.
What skills do CISOs need beyond technical knowledge?
Ozkaya: CISOs need soft skills and strong business skills. They need to be able to explain exactly what they need. Executives don't care how many viruses you have, but will care if sensitive company details are leaked. CISOs need to use metrics board members and C-level colleagues understand.
It's like asking a bank for a mortgage. The bank will ask several questions: 'How much do you need? Can you pay the loan back? What is the ROI?' The same thing applies for boards. They'll say, 'OK, you want $2 million, but why?' CISOs need to know how to market their strategy because board members will only award the budget if they understand the benefits.
How has the CISO role changed in recent years?
Ozkaya: It has changed a lot. With more attacks, there's more on the line for CISOs. Imagine you're about to put money into a bank when you find out the bank just had a huge data breach. Are you going to choose that bank now? Probably not.
The first thing that happens after a cyber attack -- if it's a publicly traded company -- is its share prices drop. Would you like to lose the trust of your shareholders, customers and employees? SolarWinds is a famous example. Leaders must work with cybersecurity professionals to maintain trust. This doesn't mean your organization won't get hacked. But, if you implement the right strategies to protect your core data, who cares if you have a cyber incident?