Facing rampant cybercrime and increasingly complex technology environments, companies are doubling down on security. In many cases, that means elevating the role of the chief information security officer and giving CISOs responsibility for risk management, which has typically been the domain of the CFO.
“The CISO role has evolved as the impact of cybersecurity has become more prevalent and awareness of the business risk caused by cybersecurity has evolved,” says Jeffrey Weber, executive director for Robert Half Technology.
Today’s CISOs are no longer low‑profile IT execs in charge of network security. Increasingly they are important partners in the C‑suite, helping companies understand and manage security risk much more comprehensively than in the past.
Not every security professional has the skill set to thrive in the modern CISO role. Here are the most critical skills to look for in a modern CISO, according to several recruiters.
More CISOs today are part of the C‑suite, with many reporting directly to the CEO. To succeed, CISOs need strong relationships with fellow executives. That’s why strong communication skills are critical to the role, says Blake Angove, director of technology services at the recruitment firm LaSalle Network.
“Communicating cybersecurity risks to business leaders in a manner they understand is what enables decision making,” he says. “CISOs need to exude an executive presence and carry themselves as leaders in the boardroom.”
This starts with distilling information security requirements, goals, and reports into language the board understands, Angove says. Equally important is communicating the right information.
CISOs should focus their boardroom topics on the top cyber risks, emerging threats, the organization’s maturity level, and audit and regulatory concerns, Deloitte advises. “A key objective for the CISO when interacting with the board is to become a trusted advisor who proactively helps illuminate these issues,” the firm says.
Most CISOs came up through IT organizations where they spent years monitoring and analyzing security risks. Today’s CISO needs to put that information into context for the business, which requires a deep understanding of business fundamentals.
“The CISO is not simply a technical position that defines a set of internal requirements for the technology deployment,” Weber says. “[CISOs] must understand the complexity of the relationships between the technology, the business impact, and the usage of the technology, in order to educate the enterprise on the impact of security risks.”
Because CISOs need to understand, speak, and think in business terms, more are getting MBAs, Angove says. “About 50% earn one today, which isn’t something we saw five or 10 years ago.”
CISOs shouldn’t just be viewed as compliance monitors and enforcers, Angove says. They also need to understand the organization’s appetite for risk, contextualize it against industry trends, and use their specialized knowledge to help guide decision making.
“Balancing risk and business value can be difficult,” Angove says. “They need to walk a line between securing the organization and enabling the business. If CISOs are only concerned with managing security, they’re set up to fail.”
Prioritization is critical as CISOs consider these tradeoffs. The ability to prioritize requires both holistic visibility and the ability to surface context. Companies increasingly rely on automation to achieve this.
“Automation helps CISOs focus their teams on critical events quickly,” says Piero DePaoli, senior director of product marketing for ServiceNow’s Security & Risk portfolio. “Automating processes fundamentally transforms the way companies and organizations are protected by helping CISOs be more effective.”
A learning mindset
CISOs live in a world of perpetual change. Key challenges include defending a complex attack surface, dealing with an acute shortage of security talent, reshaping the culture of their organizations, and figuring out how best to apply machine intelligence, AI, and other emerging technologies. There is no best‑practices bible for managing it all. It’s a juggling act that requires a proactive desire to learn.
“CISOs need to roll up their sleeves and spend time with their teams,” says Angove. “When you’re in tune with what’s going on and what the trends are, you’re able to stay in front of the threats and make sure those areas are secure.”
Learning should extend beyond the office walls. CISOs should actively participate in networking circles, stay active with conferences and seminars, and look for opportunities to present to the cyber community on risk and threat scenarios.
“The CISO role needs to be one of constant learning and growth,” Weber says. “The cyber risk landscape is constantly changing, and the CISO needs to anticipate these threats and risks.”