Close to two-thirds (62%) of Fortune 500 companies now have a CISO overseeing their security strategies, according to a recent report from Bitglass.
But as more chief information security officers have emerged onto the scene in the past decade, their responsibilities have grown and evolved. Once a more technically focused position, CISOs are increasingly being called on not only to implement security for defense, but also to drive business objectives forward, manage teams that collaborate, and serve as an ambassador for security around the company.
That requires more of those so-called soft skills you don't necessarily get in college.
In fact, when we asked CISOs and other executives to cite what it takes to run a security program today, they hardly mentioned technical skills or a security background at all. Here's what they told us.
The Ability to … Earn Respect
Jon Hill, CEO of staffing and management firm The Energists: "Some officers are leading departments with dozens of employees, so they must be able to garner respect from their employees and lead their teams to success. [For example], as a CISO, you're often struggling to get budget from the organization. But if you don't get the resources you need, your entire network can end up vulnerable to cyberthreats, and you'll be the one that takes the blame. So you have to be able to communicate the importance of your department to the company, even when other departments are fighting you for resources."
The Ability to … Work Across the Organization
David Menichello, CISO advisory practice director at cybersecurity services firm BTB Security: "Building relationships across the organization, regardless of their ties to security, will open up lines of communication, allowing you and your security team to get information faster, and will enable the CISO to influence security behaviors across an organization. Being able to break down technical concepts and draw parallels to the rest of the organization is important for any CISO's success."
The Ability to … Pay Extra Attention to DevOps
Christopher Gerg, CISO of data-recovery services firm Gillware: "[DevOps] have to make security part of everything they do – requirements gathering, writing code, peer code reviews, QA testing, and deployment all need to have information security considered as an integral part of what they do. This requires the CISO in this small scale to develop a strong buy-in from the team, and, as much as possible, automated solutions should be used to enable the security aspects of all of these tasks – static code analysis libraries integrated into the development tools, automated testing, built-in approvals. Trying to ‘bolt on' security after the fact is doomed to fail."
The Ability to … Foster Team Comradarie
Jon Hill, CEO of staffing and management firm The Energists: "I'd say that the best CISOs have strong conflict management skills. In order for your organization to be safe and secure, every member of your team must get along. When rivalries start brewing and employees start fighting, the system becomes vulnerable. Your entire team has to trust each other and understand that they're working toward a common goal, even if they don't much like each other."
The Ability to … Demonstrate Credibility
Armond Cagler, principal of business and technology consultancy Liberty Advisor Group and co-founder of its business threat intelligence unit: "A vast majority of the CISO job is to implement real organization change – this requires backing, credibility, and adroit powers of persuasion. The position ultimately requires the leadership of a champion who can independently represent security's needs and vision. This person needs to be perceived as being credible by the decision-makers above him or her and should have a seat at the table with other executive stakeholders."
The Ability to … Talk Business
Robb Reck, CISO of identity and access management solution provider Ping Identity: "As security and privacy demands from customers and governments increase, the role has become increasingly business-oriented. That change has resulted in CISOs moving out from a portion of IT and into a full-fledged place on the executive team. CISOs are responsible for working closely with, and directing the work of, engineers in security, IT, and development. Therefore they need to have a strong background in technology and architecture. On the other hand, a CISO is responsible for translating technical risks to the executive team and board of directors. The ability to explain complex technical issues in the language of business leadership is difficult and important."
(Image: Ico Maker via Adobe Stock)