Image source: Shutterstock
With the increasing number of cyber-attacks, the role of a CISO (chief information security officer) in an organization has changed. The modern CISO is not just a head of department, responsible for the implementation and management of security controls—like ensuring every workstation has the latest version of endpoint security, or making sure critical ports are not exposed to the internet.
As a C-level executive, their role is now made up of two crucial and equally important elements. Firstly, to enable the organization to achieve their business goals—such as releasing better products faster than competitors, looking attractive to stockholders and increasing revenue.
Secondly, they need to be cybersecurity professionals, and minimize the risks of cyberattacks that could threaten their business.
Getting this right requires not only excellent security expertise and awareness of the latest technology trends, but also soft skills, which may not come naturally to those who started their career in the IT department.
To help today’s CISOs succeed in their roles, there are four key skills to focus on.
CISO’s were responsible for developing a defense plan based on their company’s IT landscape. But the modern-day approach needs to line up with the business vision. That is why almost every CISO not only needs detailed IT security knowledge and a list of certifications, but also a business mindset.
As a result, CISOs cannot dismiss technology that their business would like to implement. They need to evaluate the risks associated and propose a secure strategy that will not impede organizational progress. If staff need to have access to corporate resources from their devices, the CISO should implement a BYOD policy on the network. Best practice involves advising others to become a risk manager while offering assistance and guidance to the business:
Communication and presentation skills
Very few top managers have a security background, which is why a CISO must develop rhetoric that ensures the board understands how serious the risks are, and avoid speaking in IT jargon.
The skill of translating cybersecurity language into business terms can fill this communication gap. It may also help when it comes to present the IT security budget justification. It is often part of the overall IT expenditure; money can be prioritized for IT projects that demonstrate evident business profits and ROI.
The ability to tailor information to a non-technical audience and create strong arguments (penalties for non-compliance, damage caused by past attacks, breach reports) can prove that benefits far outweigh the costs.
Crisis management skills
Recent research shows that 86% of CISOs think cybersecurity breaches will happen sooner or later, meaning that businesses cannot afford to be unprepared.
An action plan is not limited to changing affected passwords or recovering systems. To eliminate the attack, it is essential to figure out who is responsible for certain actions and identify key contacts in other departments to inform first. These can include legal, PR or customer success teams, who in turn, will be able to take part in resolving the crisis.
It is essential that the CISO remains aware throughout an incident and becomes a link between stakeholders, who coordinates the information security team in their incident response activities, informs the business and advises how to resolve the situation.
Supervisory and leadership
With 62% of CISOs agreeing that there is a shortage in cybersecurity talent, it is becoming harder to find new security specialist. However, the main cause for concern is employee retention. This also increases the workloads of current staff, causing concern for security leaders.
A CISO should be a leader who people can follow, be a mentor who can support the team and find ways to motivate employees. It could include granting more decision-making authority, learning and professional development possibilities and simple recognition of one’s hard work. To be an effective manager a CISO must choose the optimal incentive or source of motivation for their team.
A CISO’s role requires a unique combination of soft, human skills as well as hard, technical skills. They must develop management and leadership qualities, broad IT understanding, business mindset and cybersecurity knowledge.
Maxim Frolov is the Vice President of Global Sales at Kaspersky Lab.