1. What are the fundamentals of the CISO role?
Everyone has a somewhat different view of what a ‘Chief Information Security Officer’ (CISO) does, but generally we’re talking about that individual who has been nominated to oversee an organization’s security program. The initial perception is often that the CISO is focused on stopping breaches using technology, and although that’s all part of the job, there is a lot more to the position than just this.
A CISO’s role can cover a huge number of areas, differing from company to company depending on their needs. Scope might include governance and compliance, privacy, product security, and even physical security. I believe this last one is often overlooked when finding synergy between functions.
Cyber and physical security share common themes, and both benefit from a high-level situational awareness. Threats made to digital information are often similar to those made against your person or facilities. Physical security incidents can quickly evolve into information security incidents, as well. That’s why it’s vital that CISOs and the wider organization foster the link between the physical and cybersecurity practices.
In addition to having sufficient technical knowledge in the different areas of security, CISOs are responsible for bridging the gap between technology and people. Part of this is just being able to make security relatable. Helping a non-technical business leader understand why a complex, technical decision should be made enables that leader to be a security champion on behalf of the CISO.
2. What are the main skills required to be a successful CISO?
Over my career, I’ve recognized two valuable skills as being essential for any CISO or security leader – affability and adaptability. Essentially, security professionals need to be able to collaborate (opens in new tab)with others and adapt to change.
If we break down the purpose of a CISO to its basic level, it is a persuasion-based function which relies on strong collaboration skills. A CISO’s job is to rally stakeholders at all levels – board, exec leadership, and all employees – to become security advocates and practitioners. Earlier I noted that CISOs are expected to stop breaches – while this is certainly their goal, they can’t do it without everyone at the company doing their part. This may mean changing entrenched behaviors that pose security risk to the organization, which takes time, empathy, and strong alignment on common goals. The security team might deploy all the tools and processes it wants, but without employees doing the right thing, the program just isn’t going to work.
As part of this role, CISOs have the challenging task of convincing every stakeholder in the company to invest – financially and personally – in a unified attitude toward cybersecurity. And sometimes, what the business wants isn’t always what’s going to keep the company secure. The CISO has to find a way to communicate their priorities in a way that shows support for the business.
Collaboration is a crucial factor for success in any security practice, so building a security team with various different skills that complement each other will greatly strengthen the business dynamic. A CISO doesn’t have to have a degree in computer science or a rich technology-focused career path. Many security leaders I’ve come across have had a rather circuitous journey into their roles. What’s important is that they are able to empathize with their business partners and find a way forward that helps them be successful through protecting the company’s information assets.
3. How does the human element fit with the technological requirements?
It should go without saying, but people are fundamental to the success of a security program and leveraging the human element should be a key focus of any CISO. Technology is of course important in the security space, but it’s constantly changing, evolving as new threats and countermeasures are pitted against each other in a cybersecurity arms race.
CISOs also need to take time to educate their stakeholders about these countermeasures, to help get them past the buzzword stage. Zero Trust is a good example of this. While it sounds novel and innovative, the concept has been around for decades – it’s not magic, it’s just security common sense. But although Zero Trust might sound cool to security practitioners, end users might have a different perception. Our research found that 32 percent of UK security leaders fear that their employees will think their company doesn’t trust them if they implement a Zero Trust strategy. They have a point, and CISOs should recognize when and how to manage perceptions to make the most out if their technology strategy.
4. What would be your advice to the next generation of CISOs?
A while back I heard someone say “if you’re a CISO and no one is yelling at you, you might not be doing your job.” As extreme as this may sound, there is truth to it. Our job is to affect change, which isn’t always a straightforward process, and might ruffle some feathers along the way. But in order to achieve the best security outcome for businesses, we often have to take a stand and move people outside their comfort zones.
Although I think we’ve come a long way from making the CISO a scapegoat for every breach, there’s still the expectation that the CISO can prevent breaches, and definitely potential for blame going their direction when things go wrong. I encourage security professionals not to take this personally – data breaches are inevitable and can actually provide valuable learning experiences for everyone involved. There are so many moving parts in a modern organization and a CISO cannot singlehandedly prevent every breach every time. Instead, the focus should be on learning from the incidents and adapting to prevent the next attacks. They should also be empathetic to how these incidents might impact their team members. It’s good to discuss the mental and emotional dimensions of incident response, and how to maintain a healthy perspective in the midst of all the action.
Finally, a CISO’s mission to change attitudes will only be successful if the rest of the company is willing to listen. While it is the security teams’ job to educate and persuade, it’s important that everyone else takes the time to get involved in security too. Collaborating as an entire organization is the best way to build defenses and stand strong against incoming threats.
- Keep your organization safe with the best business antivirus (opens in new tab) solutions right now
James Nelson, VP InfoSec, Illumio (opens in new tab)