Soft Skills Every CISO Needs to Inspire Better Boardroom Relationships

Now more than ever, CISOs have an opportunity to impact business strategy and change the culture of their organization.

Jason Lee, Vice President & Chief Information Security Officer, Splunk

December 15, 2023

4 Min Read
The words "Soft skills" in the middle, surrounded by icons illustrating the concept
Source: Kirill Ivanov via Alamy Stock Photo

COMMENTARY

The role of the chief information security officer (CISO) is changing. In a recent survey of CISOs, 86% of respondents said the role has changed so much that it's almost become a different job altogether from what it once was. In addition to their traditional responsibility of defending organizations from an increasingly complex threat landscape, CISOs need to reach across their organization, work closely with the C-suite, and provide high-level business strategy as it relates to risk.

This new connection between cybersecurity and business risk has pushed CISOs into the boardroom, where they are being asked to justify their investments by aligning security strategies to the board's vision for the organization. To walk this line, CISOs have to develop critical soft skills that allow them to bridge the natural divide that has traditionally existed between operations and security teams.

These so-called soft skills — such as communication, leadership, and emotional intelligence — are now requirements of the job, allowing CISOs to navigate this delicate balance and provide high-level risk assessment and guidance for their organizations.

Here are three soft skills every CISO needs today:

1. Collaboration

Digital transformation and the emergence of the agile, customer-led business model have destroyed the silos that once permeated organizations. Teams often operated in seclusion — heads down and focused solely on the task in front of them, with little to no visibility into what other business units were up to. This has changed dramatically over the past few years, as communication, collaboration, and integration between stakeholders from across organizations create operational efficiencies to improve resilience. From a CISO perspective, this means looking at every aspect of the organization — from sales and marketing to the supply chain, all the way up to the board of directors — through the lens of cybersecurity risk.

Collaborating will be critical in 2024, with the new Securities and Exchange Commission (SEC) cyber-incident regulations. CISOs now need to understand how to communicate with stakeholders and the boards around an incident. The only way to do this is to collaborate not only with chief financial officers (CFOs) to understand what stakeholders want to hear, but also with the legal department to set clear standards with the board on what they define as material. Working together allows the CISO to break down these silos, ensuring close collaboration toward business goals without adding unnecessary cybersecurity risk. If done right, with the appropriate transparency, any additional measures that are needed to combat a new or emerging risk or regulation should be easier to accept.

2. Communication

A big enabler of collaboration is communication. CISOs are finding that stakeholders — from regular users to the board — are more technical than ever before. People understand the impact of working in a hybrid model or moving applications to the cloud and trust the CISO to weigh the risks with the productivity and agility benefits. This requires educating everyone on threats, compliance, and other risks through the lens of business language and metrics that they can understand. By educating stakeholders on how implementing a new security strategy, process, or tool can contribute to business goals — such as expanding into an emerging market, improving development velocity, or driving up stock prices — CISOs can better communicate budget needs. Bridging the gap between technical capabilities and business results puts CISOs in a key advisory and thought leadership position that can lead to greater success.

3. Storytelling

CISOs also have to be good storytellers, using data to craft a narrative around how the business is mitigating growing risk. This includes taking a key performance indicator (KPI) — again using language and metrics that the board and other business stakeholders understand — and showcasing whether existing efforts are falling short and, if so, presenting a strategy to improve results. Tying this critical KPI to a larger initiative — growth, sustainability, or customer experience — goes even further to explain how cybersecurity and mitigating risk contribute to the overall mission.

CISOs Continue to Evolve

Now, more than ever before, CISOs have an opportunity to impact business strategy and change the culture of their organization. Everyone — from the customer service rep to the chairman of the board — is listening and relying on them for guidance on how growing cybersecurity risks impact everything from their day-to-day to broader business initiatives. CISOs need to develop new so-called soft skills to meet this challenge — using all their communication, collaboration, teaching, and storytelling skills to mitigate risk, create operational efficiencies, improve resiliency, and drive business growth.

About the Author

Jason Lee

Vice President & Chief Information Security Officer, Splunk

Jason Lee is Vice President and Chief Information Security Officer at Splunk. A highly respected technology executive with 20 years of experience in information security and operating mission-critical services, Jason led security for large enterprises prior to joining Splunk including Zoom and Salesforce, where he led the delivery of critical end-to-end security operations including company-wide network and system security, incident response, threat intel, data protection, vulnerability management, intrusion detection, identity and access management and the offensive security team. Before that, he spent 15 years at Microsoft and held various senior leadership roles, including Principal Director of Security Engineering for the Windows and Devices division, as well as Senior Director of Developer Services. As Senior Director of Developer Services, he oversaw the design and management of the mission-critical PKI for all products across the company. Lee holds a B.A. from Washington State University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights