The Chief Information Security Officer, what skills?

(To Carlo Mauceli)

For many cybersecurity professionals the ultimate career goal is to take on the role of Chief Information Security Officer (CISO). CISO is an executive-level position responsible for IT risk management and operations.

As we know, cybersecurity is transforming and today a good CISO must also have strong communication skills and a deep understanding of the business. To be able to fill such a role it is necessary to understand how this is evolving and the skills necessary to excel.

As business organizations develop the path of digitization, including through the use of services in cloud, their ability to effectively leverage technology has become integral to their success. However, this process has also created more opportunities for cybercriminals.

In recent years, businesses of all sizes have suffered reputational damage and have spent significant resources recovering from an attack or have been forced to pay fines for violating privacy laws.

A good CISO needs to know that a cyber incident is primarily a business risk and not just a simple cyber risk. When making decisions, boards and executive teams need to be able to assess the likelihood of a data breach as well as financial loss or operational risk. A good CISO helps them do that.

According to research by Deloitte, there are four roles or aspects that a CISO must possess and develop: the technologist, legal guardian, the strategist and consultant.
Probably many of the people who aspire to the role of CISO are already familiar with the characteristics of technologist and mentor.

As technologist, the CISO is responsible for guiding, deploying and managing safety technologies and standards.

In the role of legal guardian, monitor and regulate programs and controls to continuously improve safety. We must never forget, however, that technical controls and standards will not completely eliminate the risk of cyber attacks and that the CISO does not have control over all the conditions that can increase the likelihood of a breach; this is why the roles of strategist and consultant have become increasingly important.

As strategist, the CISO must align security with business strategy to determine how investments in security can bring value to the organization.

In that consultant, CISO helps executive teams understand cybersecurity risks so they can make correct decisions based on the information received.

To excel in these roles, it is important to have excellent business knowledge, understand risk management and improve communication skills.
As we said previously, if you are already working in the IT security sector and are interested in growing in the role of CISO, you probably already know the aspects related to the role of technologist and tutor.

You can improve your technical skills by seeking to gain experience and obtain certifications in a variety of areas, so that you understand what threat analysis, threat hunting, compliance, ethical hacking and system control are. But that is not all. In fact, you need to find time to work on your leadership skills.

  • Understanding the business is the most important step if you want to prepare for an executive level role, you have to learn to think like a businessman. Who are your customers? What are the great opportunities and challenges of your industry? What makes your company unique? What are its weaknesses? What business strategies guide the organization? It is essential to pay attention to corporate communications and annual reports to find out what priorities the company board has and why certain decisions have been made, to read articles related to your sector to have a broader perspective on the business environment and how your company is doing. fits into the market. This research will help you make better decisions about how to allocate limited resources to protect corporate assets. It will also help you to frame your arguments so that the company listens to what you want to propose. For example, if you want to convince your organization to upgrade your firewall, it will be easier to convince decision makers if you are able to explain the relationship between a security incident and the company's relationship with customers or investors.
  • Learn risk managementForward-thinking companies regularly take strategic risks to achieve their goals, seize opportunities to launch new products or acquire a competitor that will make their products more attractive to the market. These decisions, if wrong, can cause huge losses or bankruptcies. Risk management is a discipline that seeks to understand the positive and negative sides of action and eliminate or mitigate risks as much as possible. By comparing the likelihood of various options, such as the return on investment if the firm succeeds or the potential loss in the event of failure, managers can make better decisions. The CISO helps identify and quantify cybersecurity risks that should be considered alongside financial and operational risks.
  • Improve communication skills: To be a good consultant and strategist, you need to communicate effectively with people who have different experiences and backgrounds. One day you may find yourself arguing with a very technical member of your team, the next day you may need to participate in a business decision at executive level or even be invited to report to the board of directors. A communication plan it can help to refine the messages to be given to the various interlocutors.

To start developing these characteristics, you need to try to understand the goals of the people you talk to regularly. What are their needs? Is it possible to frame safety communications in terms that can help them overcome these challenges? You need to think and take time to put yourself in someone else's shoes before meetings, conversations in the hallway, before exchanging emails and chats. It can really make a difference!

A good communication plan provides targeted security messages (see table).

In recent years, the role of CISOs has been brought to be part of the board of a company precisely to have strategic security consultancy.
Building leadership skills such as risk management and communication will help you enter this role in an increasingly important way.