The role of CISO (Chief Information Security Officer) is a relative newcomer to the C-suite. Its importance has grown considerably in the last decade as cyber threats became such a high risk. As companies decided they had real challenges with information security, the CISO gained more power to protect their data and digital interests.
There is no debate over the importance of having a CISO on staff, but I’m going to make a possibly controversial statement. A CISO isn’t a technical role. I don’t mean that those with this title shouldn’t have technical acumen, but there are other skills relating to leadership and strategy that matter more than being an expert on every aspect of cybersecurity.
In this post, I’ll make a case for why it isn’t a technical role and define the most critical CISO skills.
Who Are Today’s CISOs?
The path to CISO has evolved significantly in the past 25 years. In the early days, a CISO was compliance-focused, and the functions were purely in the IT bucket. Then risks became a bigger concern, and the job became much less tactical. CISOs were involved in policy and procedure development and creating frameworks.
In the past five years, CISOs have become a central leadership role. They have responsibility for a large portfolio, from cloud strategy to IAM (identity and access management) to mergers and acquisitions. They are the determiners of risk and its priority.
What Challenges Do CISOs Face?
To better understand the skills that matter for CISOs, it’s helpful to know where they are struggling. These insights are from the Global CISO Study.
- Only 19% state they are highly effective at preventing security breaches.
- 30% of those surveyed said lack of resources (people and technology) is an obstacle to better security.
- Regarding talent, 91% said attracting and upskilling were critical for success, while 89% said retaining existing employees was.
Based on this data, I can make some assumptions. CISOs aren’t exceptionally confident in their security posture. They also have lots of concerns regarding staff. They don’t have enough, can’t attract them, and have a hard time keeping them. The cybersecurity job market is flush with opportunity, but that’s somewhat of a negative.
As I’ve talked about before, the demand for these roles created a swarm of paper tigers. These are folks with certifications in cybersecurity who don’t have the skills or experience to handle the demands of the job.
A CISO is like any other C-suite role. They have to build out a team, except now the org chart has more and more layers. This elevation, just like other executives, means they aren’t executors. They set the strategy, make the big decisions, and hopefully hire the right people.
A Less Technical “Outsider” CISO Simplifies Cybersecurity
The concern with a “technical” CISO is they may have come from a paper tiger culture. Lots of CISOs got the job because they had the certifications and degrees. Those hiring them weren’t technical. So, when such a person used overcomplicated language and complex cybersecurity frameworks, the CEO was like, “You’re hired.”
Unfortunately, that path could be making your cybersecurity weak and your network ripe for exploitation. These individuals posture, typically don’t listen to others, and have less-than-optimal communication skills.
Whereas if the CISO is less technical and not an internal ladder climber, it could simplify and improve cybersecurity. These “outsiders” are likely to have more clarity and do the thing they really need to do — lead.
They aren’t distracted by trying to be the smartest person in the room. Instead, they listen and communicate well. They defer to experts about the technical stuff or the newest tools to automate. The truth is cybersecurity strategies don’t need to be complicated to work. Simple is actually better in many cases. And simple comes from people skills, not technical ones.
What Are the Most Important CISO Skills?
An article in Forbes by Darren Death named the Top 10 Skills a CISO needs to be successful (full disclosure, he is a CISO). Here’s the list with my own commentary on each skill.
1. Communication and Presentation Skills
Every leader needs to be a master communicator. Having excellent communication skills is not the same as being articulate or liking to talk. Communication is about listening. When someone is a strong communicator, they engage in conversation with others to learn, not refute. Additionally, communicators use language carefully for clarity.
Presentation skills are equally important. At that level of role, you have to present findings to the rest of the C-suite and board. These presentations must explain where the company is and where it needs to be in cybersecurity to get the funding and resources required.
2. Policy Development and Administration
Policies are the responsibility of a CISO, but technical prowess isn’t needed. What is necessary is developing things that are implementable at scale. What they create must meet the company’s goals and any legal requirements.
3. Political Skills
A CISO needs to be able to interact and persuade. They also need to know what the rest of the executive team needs and their cybersecurity concerns. This is where more of those great listening skills come into play.
4. Knowledge and Understanding of the Business and Its Mission
A CISO’s highest task is to keep what’s important secure. They can’t do this well if they don’t understand the business, its operations, and the missions it seeks to deliver. Grasping the big picture is essential for an effective CISO.
5. Collaboration and Conflict Management
Cybersecurity is not an island unto itself. It involves every area of the business. A great CISO creates partnerships with all those stakeholders. A culture of collaboration can go a long way to improving security. Being able to resolve conflict is also a plus because different parties have competing priorities and opinions.
6. Planning and Strategic Management
Being a planner is also a necessity for the role. There are lots of moving pieces in projects, as well as many people. In planning, a CISO must also be strategic to support the business’s desired risk posture. They also need to be flexible enough in these to pivot when necessary.
7. Supervisory Skills
The CISO is only the top of the team. They have many folks under them that are implementing and executing. Thus, the role needs to be a proven supervisor who chooses to mentor and develop people. This is no place for a dictator.
8. Incident Management
Incidents will happen; preparation is crucial. The CISO should develop, test, and augment an incident management plan.
9. Regulatory and Compliance Knowledge
No matter the industry, there are regulatory and compliance obligations. A CISO should know these inside and out so everything the company does is in line with them. They’ll also need to stay on top of changes, which occur often.
10. Risk Assessment and Management
We end with risk ownership. Risk assessment and management is a never-ending part of the job. A CISO must be in tune with the fluctuating levels of risk and new and emerging ones.
If someone has these 10 skills, they are well-positioned to be a great leader in information security. If they happen to have technical skills, too, all the better. But a narrow focus on a technical CISO is likely to fall flat when what an organization needs is a communicator, mentor, and strategy expert.
CISOs Will Likely Be Culture Leaders, Too
A PwC and Harvard Business Review survey on making cybersecurity a competitive advantage also notes that culture will soon be in the CISO bucket. If that plays out, the need for soft skills like those above will far outweigh technical ones. They’ll be setting the security culture, but that has a significant impact on organizational culture. Security, after all, is a responsibility for all employees. Further, when a company has strong cybersecurity, it can be a competitive advantage. It can attract more customers and revenue, reduce costs in other areas, and contribute to job satisfaction.
Cybersecurity and CISOs Are Positively Evolving
The abilities that matter the most for a CISO to succeed have little to do with technical aptitude. The role evolved dramatically and will continue to do so in a positive manner. The entire industry of cybersecurity is, too, and can benefit from these skills. To revolutionize your cybersecurity practices and the team behind it, you’ll learn a lot from my book, The Smartest Person in the Room. Get your copy today for a better cybersecurity future.