How to Become a Successful CISO
Being a successful Chief Information Security Officer (CISO) means understanding the changes to regulatory and privacy landscapes over the past several years. In the past, the CISO role meant organizing assets. However, increasingly the high level security professional needs to manage risks in order to successfully protect the companies for which they work. Risk management, once the sole responsibility of the internal auditor, now crosses all areas of the organization. The changes in the security landscape mean that a successful CISO needs to think differently about their role.
How to Be A Successful CISO
9. Manage Risk
The role has evolved from being focused primarily on the implementation and management of security control technology (firewall, IDS, AV solutions, etc.) to a consultative, business process aware, risk management professional. The CISO’s role change from IT security technology solutions expert to enterprise risk management executive requires a risk-based approach, and CISOs must adapt and embrace this and move away from a security controls focused approach to information security.
Although security controls remain one way to approach information security, the successful CISO recognizes that the controls respond to risk.
8. Build Coalitions
As the CISO’s job requires a greater focus on advising people of risk, so the job requires increased coalition building skills. The shift in the CISO’s role within an organization means that people are the key focus, not software deployment and maintenance. Becoming a successful CISO means building relationships with all departments, not just within the IT sector. An article on Cyber Toa, a cybersecurity professional website, reminds readers,
A CISO is responsible for promoting and encouraging security habits within the organisation to maintain appropriate standards for the information being handled. They can ensure employees receive awareness training, and understand the risks and consequences of their actions, both online and when handling physical copies of information.
A successful CISO builds the culture of information security compliance by creating relationships. When the CISO treats employees as partners in information security, people are more likely to comply with requests.
Every company views risk management differently, he continues. Some businesses have their CISO report to the general counsel, head of compliance, COO, or CEO. In addition, the CISO and CIO are becoming more empowered to veto key strategic decisions.
“The CISO has a seat at the boardroom table,” says Dawn-Marie Hutchinson, executive director for Optiv’s Office of the CISO. “They’re saying, ‘Let’s talk about what the business is doing strategically and how we can enable that functionality.'”
This used to be the CIO’s conversation, she says, but reporting structure is changing to prioritize security issues and projects. Businesses want to know how they can maintain the privacy of information systems, and the attention is giving CISOs more face time with board members and execs.
As the roles shift, the relationships need to be built. The successful CISO works with the CIO to create a unified IT structure that promotes information security.
7. Communicate Effectively
Effectively communicating may be a part of building coalitions, but it goes much further than that. Communicating with the organization means sharing your vision in ways that everyone else can understand. While this may lead to people agreeing with your insights, it does not stop with their agreement. When interviewed by CSO Online about keys to being a successful CISO, Kim Jones explained the communication problems his nonlinear thinking caused:
The problem is, though, that I tended to (accurately) leap to the conclusion about an issue without laying out the steps, thinking that everyone could see the same thing I did. This really hampered my ability to communicate to non-security/non-IT folks early in my career. I spent a long time (with the help of good mentors) learning how to communicate and lay out the steps so that others could reach the conclusions I was leaping to.
CISOs will often present their ideas to nontechnical people like the Board of Directors. This means that being able to break down the ideas into understandable pieces for the lay person can be the defining skill of a successful CISO.
6. Learn the Business
With technology becoming more integral to businesses daily, CISOs need to fully invest themselves into the organization’s business goals. A successful CISO understands not just the technological and personal side of security, but also the way information security integrates into the overall business plan. Avtar Sehmbi, in a 2010 article about employable CISOs, listed six key principles upon which to base a CISO career. Three of them included understanding the overall business plan.
- Engage with the business. CISOs need to demonstrate an ability to navigate their way within the organization by developing relationships with key stakeholders. An aptitude to discretely understand the organisation’s politics, expectations, and concerns is essential. Finally, they need to display a competence in qualifying the level of investment that is appropriate for any security initiatives, whilst ensuring the proposal is relative to the organization’s needs. You can’t, and shouldn’t, make changes without fully understanding the impact they will have, determine whether the investment is necessary, and can justify the expense or identify the impact to revenue streams.
- Focus initiatives on what is learnt. A CISO needs to understand not only their own area, but also that of the business and where they fit within the organization. Spend time engaging the business before producing security strategies. The engagement process will enable you to define the strategy’s core work streams. This will ensure the strategy has complete buy-in and sponsorship from the business and is in line with objectives.
- Align, target and time initiatives. Convey an understanding of the business strategies aligned with the challenges facing IT – mergers and acquisitions, regulatory pressures, financial pressures and competing initiatives. Using this understanding, map out the next 12-, 24- or 36-month period in comparison to what the business is trying to achieve strategically and tactically. Doing this will also provide you with the agility to propose any unplanned changes that may emerge throughout this period.
The successful CISO will focus on information security as it relates to the overall business model to ensure the symbiotic relationship between security and profitability.
5. Have a Vision
Many people would assume this to be the first step to being a successful CISO. The reality is that until you understand the risks inherent in your particular business, can build coalitions that work with you, and can explain yourself in ways that create ongoing compliance with your vision, that vision is meaningless. Without vision, however, a CISO becomes just another employee. ZRG Partners, a recruiting firm, researched top skill sets for CISOs and determined,
An organization also needs a Chief Information Security Officer (CISO) who has certain visionary and leadership characteristics. These include a torchbearer who has an intellectual curiosity; someone who is an independent thinker and analytical; a person who has a strong understanding of the organization’s operations and processes.
In the world of information security, having a vision means being able to see threats before they occur. The successful CISO sees the future of threats and finds ways to incorporate those protections into the organization before they become a reality.
4. Stay Educated
A CISO needs to adapt easily to change. Technology is constantly evolving and a successful CISO understands that. Big data is just one example. And as new technology and trends like big data emerge, we as CISOs need to figure out how they fit into our security landscape.
In the CISO role, always being a student and learning is a must. You can’t just learn a skill once, apply it and be done. There is always a need to refine and adapt. In other fields, you must have certain skill sets and a specific background, but once you acquire those, you are able to apply your experience in a fairly standard manner.
With security, it’s constantly changing, and a CISO needs to be continuously learning and adapting. You always have to account for the privacy impact, address challenges and opportunities – and now, to understand this, CISOs essentially need to become data scientists as well. It’s par for the course.
Being educated may mean ongoing trainings or simply reading industry reports regularly. Successful CISOs recognize not just the changes in the information security landscape but also the upcoming trends.
3. Be Decisive
A successful CISO makes important decisions to protect themselves and their organization. Showing that they are capable of these decisions means getting more respect and more control over the information landscape. According to a Tech Republic article,
[A 2014] report also indicates that executives have a preconceived notion that the CISO is often a “scapegoat,” following security breaches. That opinion is backed by an astounding 44% of C-level executives, which believe that CISOs should be held accountable for “any organizational data breaches,” while 54 percent said that CISOs shouldn’t be responsible for cyber security purchasing decisions.
In order for CISOs to be able to do their jobs effectively, they have to be put in positions where they can make decisions, and they will often need to prove that ability. Peak 10 notes that CISOs need to,
Accept risk and disruptions. Risk and disruption are inherent parts of a CISO’s job. This, however, does not mean it is okay to sit idly by waiting for disaster to strike. CISOs must establish upfront processes that handle emergencies as seamlessly as possible. An emergency response plan that reflects the company’s risk tolerance and strategy will eliminate the imminent panic factor and substitute it with a pre-designed set of instructions for a quick, strategic response.
Getting ahead of the attacks and being willing to accept the risk inherent in the outcome of a weak decision shows leadership and confidence, which can lead to being given more responsibility and decision-making power. For a successful CISO, being indecisive can be more damaging than being incorrect.
2. Understand Contract Implications
Increased reliance on technology means increased reliance on vendors. Bringing in vendors can diminish the CISO’s control over internal systems. The successful CISO needs to have a better grasp of the security implications in vendor contracts. John Linkous writes in an RSA conference article:
Another key skill, particularly with the adoption of outsourced services (think cloud) is the ability to understand the security impacts of contracts. A good CISO should be a trusted adviser not only for IT contracts, but for every other contract the organization signs, as well. For many organizations, business partner agreements rely on an exchange of proprietary data; the CISO must have visibility into these contracts during negotiations—not after the ink is dry—and must be able to identify potential risks and threats. Good language comprehension skills, coupled with a good relationship with the legal department, is critical.
Just as business skills are becoming more important for the CISO, so are language and interpretation skills. While the CISO does not need to have a law degree, understanding the potential risks that come with contract partnerships means providing insights. The questions or concerns the CISO brings to the negotiation can help frame the vendor relationship before security concerns occur.
1. Promote Ethical Practices
While being ethical seems obvious, the definition of ethics in security has changed with the technology. As laws have evolved, so has the definition of malicious hacking. The gray areas are no longer gray and answers can color how CISOs approach their responsibilities. Richard Starnes notes in a Computer Weekly article,
Take two potential candidates. The first says: “In the early 1980s when I was a teenager, I hacked a few sites for fun but never did any damage.” At that time, there were few, if any, laws against hacking or programs teaching young people the ethics of using information systems.
The second says: “In the late-80s when I was a teenager, I hacked a few sites for fun but never did any damage.” By the late 1980s, Scotland Yard’s Computer Crime Unit was fully formed, the Morris worm had hit, the US Congress had passed the Computer Fraud and Abuse Act and parliament was well on its way to passing the Computer Misuse Act. Same actions, but different time frame. Would you hire this person based on either scenario?
A final example: the CISO makes important strategic corporate purchasing and product marketing decisions based on close personal ties with suppliers, not the needs of the company or on sound product testing. Is that acceptable? One would hope that a CISO wouldn’t put their employer in that position, but some do. How strong are their ethics?
As successful CISOs are given greater decision-making power, their ethical responsibilities increase.
As technology evolves so does the role of the CISO. To be a successful CISO means adaption through continuous skill and relationship building.
How have you seen the CISO’s role change? Are there any other skills not listed here you think are necessary for success?