Getty Images/iStockphoto
To maximize their influence, CISOs need diverse skills
In many organizations today, when the CISO talks, the CEO and board listen. CISOs who successfully rise to the occasion have broad skillsets.
For a long time, the main skill that CISOs needed was the ability and readiness to resign gracefully in the wake of a major cybersecurity incident. Joking aside, early CISOs did tend to have short tenures due to the distressing regularity with which systems were compromised on their watch. The buck stopped with them -- and their jobs often did, too.
This paradigm has shifted in recent years thanks to the following converging trends:
- The number of organizations that suffer breaches continues to grow rapidly and includes businesses of all types: big corporations, small startups, governments and non-profits. As a result, the stigma is less.
- Organizations big and small now depend on increasingly complex hybrid IT service delivery and data environments, leading to new and evolving security challenges.
- The financial consequences of breaches continue to climb, making business leaders more interested in preventing and mitigating them rather than just finding someone to take the blame.
- The financial, operational and even existential threat of ransomware has increased as the number of attackers and the sophistication of attacks continue to grow.
As a CISO, the responsibility for protecting an organization's systems and data is, in effect, the responsibility to protect the company's ability to function and even to continue to exist. As a result, the rest of the C-suite and the board are more ready than ever before to hear from -- and really listen to -- the CISO.
The iron is hot, and if security leaders want the best chance to shepherd their organizations safely through increasingly dangerous times, then they must strike. In the past, CISOs have focused primarily on identifying and mitigating threats to IT resources. To meet the current moment, however, CISOs need a broader perspective and the right set of technical, leadership and business skills, as well as a mindset centered on risk and reward.
Key technical skills for CISOs
Many of today's most successful CISOs position themselves as business leaders, rather than tech leaders. That said, mitigating cybersecurity risk -- the CISO's fundamental responsibility -- still requires extensive technical skills.
A CISO must be able to do the following:
- Understand the capabilities of all the major categories of security technology, ranging from next-generation firewalls to single-provider secure access service edge services.
- Understand the security capabilities of all modern OSes, hypervisor and containerization platforms, and cloud environments.
- Understand that all parts of the environment can and should enforce relevant cybersecurity policies, including mobile devices; networks; on-premises data center servers, storage and applications; IaaS resources and instances; and PaaS and SaaS platforms.
- Build or help build an overarching cybersecurity architecture, centered on zero-trust as an organizing concept.
Key business skills for CISOs
When executives view cyber threats as putting IT systems -- rather than the business -- at risk, they think of cybersecurity as someone else's problem and unworthy of high-level attention. To counter the misperception that cybersecurity is an IT issue rather than a business issue, a CISO must be able to do the following:
- Understand how the organization works and what it does: What is the business, how does the work get done and by whom?
- Convince stakeholders to include cybersecurity at the start of any business planning.
- Make cybersecurity a strategic enabler and selling point, rather than an afterthought or obstacle.
- Understand all the points at which operations are vulnerable to cyberattacks.
- Present cybersecurity risks in terms of risk to the business.
- Quantify the potential or actual impacts of attacks in business terms, such as their effects on revenue and costs.
- Framing the potential or actual impacts of cyberattacks in terms of the organization's ability to meet business goals and financial targets.
Note: It is tempting to add reputational damage to the list of business impacts of cyberattacks, but truthfully, most organizations haven't suffered significant or even long-lasting reputational fallout from a breach. This is likely due to the simple fact that so many companies have been successfully attacked.
Key leadership skills for CISOs
Everyone in the modern organization has a role to play in cybersecurity, from the front-desk administrator who knows not to give out his or her password to the nice person "calling from Microsoft," to the board member who understands that cybersecurity is not an audit checkbox but an operational and strategic necessity. The CISO's responsibility is to lead everybody in this effort and to help them play their parts well. That means cultivating the following leadership skills:
- The ability to communicate clearly and cogently with technical staff in organizing core cybersecurity defenses around a unified architecture.
- The ability to communicate clearly and effectively with non-technical staff about the ways in which they can mitigate risks to the company. This includes explaining why some things users want to do might not be easy, or even possible -- think: using publicly available AI chatbots for work purposes -- due to the need to protect the organization.
- The ability to communicate clearly with the board and other corporate leaders to explain why it's necessary to continually invest in cybersecurity services, tools and teams as a strategy to mitigate operational and financial risks.
- An understanding of how to raise the level of cybersecurity awareness throughout the organization, with particular emphasis on training users how to recognize and avoid social engineering attacks.
A risk-centric mindset
Finally, something that has always been true: No CISO should think of cybersecurity as just a bunch of vulnerabilities and defenses. Effective cybersecurity leaders understand every vulnerability in the context of the risk it represents to the business -- i.e., the scale of the harm it might cause and the likelihood it will occur.
For example, a CISO might put low-risk vulnerabilities on the back burner in order to prioritize exposures that could result in dangerous and costly breaches. Understanding risk and letting that knowledge guide decisions, from budgeting and planning to daily priorities, gives the entire cybersecurity organization a unified purpose and perspective.
John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.
