Top 3 Skills for a Successful CISO
Darkreading.com recently reported that companies with CISO’s are up from 50% in 2015 to 65% in 2016. What are the top three skills you’ll need if you’re looking for a CISO position? From my experiencing dealing with security leaders over the last 20 years of my career there are three clear traits an executive security leader must possess.
Interpersonal Communication / Presentation Skills
Forester Research posted study findings in 2015 that the most successful CISO’s spend approximately 25% of their time training their staff on interpersonal skills. Information Security is a highly political position and communication is key. Spending on cyber security in most organizations is viewed as insurance, you’re spending on something you hope never happens. This can be a very difficult proposition, and what makes the task increasingly difficult is that according to Verizon most security spending is driven from compliance. So how do CISO’s gain the authority and credibility to get funding for security controls that are effective and not just compliance check boxes? Through strong interpersonal communication skills of their own and through their team by extension.
If you have been successful to secure the budgets that you’ve requested, how do you rally the rest of the organization around new security controls like: two factor authentication, network access control, and application white listing? It must be though the process of building relationships in the organization, and getting your co-workers to understand security protects the business and them as an employee.
The Desire to Promote Business Growth
This is where I see many in a security leadership position miss-step. What happens when you put security controls in front of technically astute employees? They simply find their way around them, VPNing into a private server, using RDP to browse the web during company time. You lose employee productivity by locking them down so tightly because in most organizations people need some sort of freedom to do their job.
I’ve seen many cases where security is the party of no, and they lose credibility within the organization. The common perception of security teams that of:
“we’re not going to let you do that because you’ll hurt yourself”.
Co-workers are not children…
The mantra of successful CISO’s is one of:
“I understand you need to accomplish this business task, will find a way to allow you to do it securely”.
It’s critically important in today’s rapidly changing economy that CISO’s have a flexible mindset that is imparted to their team or the business will simply ride rough shot over them.
Strong Technical Security and Compliance Knowledge and the Desire to Share that Knowledge.
Yes, a strong technical skill set is required for today’s CISO’s; business adversaries have the advantage and time is on their side. If organizations are going to be successful they need a leader who fully understands what they will be facing. What maybe more important is that the leader must be willing to train his team or send them to training. A CISO who doesn’t fully understand the dangers that the organization faces, or how to rectify those dangers with compliance requirements will struggle to be successful. Building a security team requires at least a fundamental knowledge of all the areas of security such as GRC, application security, network and endpoint control, incident response, and the list goes on. The CISO should be able to hold competent conversations in all of these domains, if they are going to build the team around them that will protect the organization.