By Jake Olcott, VP of Government Affairs, BitSight
Since the creation of the first CISO role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, with the majority of companies including a cybersecurity-specific role in their C-suites.
As cybersecurity has gone from niche issue to mainstream business concern, the CISO has become more important. And, although many CISOs come from purely technical backgrounds, new challenges have forced them to take on the responsibilities of business leaders.
As a result, the most important CISO skills are not necessarily technical in nature. Business skills like collaboration, communication, and management are just as critical for CISOs as they aim to reduce cyber risk in an increasingly fraught threat landscape.
Here are some of the most important CISO skills for 2020:
Cybersecurity is collaborative. The most efficient team of SOC analysts in the world can’t prevent incidents if employees in other parts of the organisation aren’t trained on good security hygiene. CISOs can’t give their teams the resources they need if their Board and fellow executives don’t understand security challenges and allocate the necessary budget.
Shockingly, however, only 22% of companies say their organisation’s security function is integrated with other business functions.
CISOs in 2020 and beyond will need to build collaboration skills in order to act as ambassadors for the cybersecurity program. Communicating security priorities to other departments and across lines of business or distributed workplaces is a challenge but gaining their buy-in is essential to maintaining effective security.
CISOs don’t have it easy. 91% of CISOs say they suffer from moderate or high stress, and 27.5% of CISOs say stress affects their ability to do their jobs. CISO burnout is real, and it can create new security risks as well as personal challenges.
Strange as it might seem, one of the most important skills for CISOs is making sure they don’t become victims of burnout themselves.
One aspect of avoiding burnout is stress management. Exercise, meditation, and other stress-reducing activities can be very helpful. However, personal stress management isn’t going to be enough to stem the burnout crisis. CISOs can also consider advocating for policies in their organisations that reduce the likelihood of job stress, such as workplace wellness programs or limiting after-hours email notifications.
Increasing employee engagement
CISOs aren’t the only cybersecurity professionals at risk of burning out. 65% of SOC professionals say stress has caused them to think about quitting.
As the cybersecurity skills shortage drags on, the most effective CISOs will be the ones who make sure their best employees stay on long-term.
With a 0% industry unemployment rate, the market pressure is on the employer to keep employees happy, not the other way around. That means security leaders must hone their people management skills and keep a finger on the pulse of employee engagement.
There are many techniques for increasing employee engagement, and each CISO will need to figure out what will work best in their own organisation. Some effective techniques include:
- Increasing the frequency of employee/manager meetings
- Giving employees several avenues for giving feedback, including anonymous suggestions
- Adding more social time to the schedule, or hosting company-sponsored parties or group activities
- Recognising high-performers with awards and prizes
Communication and reporting
When reporting to the Board, other executives, or even third-party auditors, CISOs need to make sure they get the messaging right.
One of the most important CISO skills is being able to translate complicated technical concepts into easy-to-understand language. When others can actually wrap their minds around the challenges of the cybersecurity program, they’re more likely to buy in and provide support.
On a basic level, CISOs can improve their communications by avoiding information-dumping and scare tactics. Turning in a 100-page report full of metrics the Board doesn’t understand isn’t useful. Similarly, warning of worst-case-scenarios can backfire when it creates a reactionary approach to security.
Further, CISOs should take a risk-based approach to cybersecurity reporting. In practice, that means making sure KPIs contain context about the actual risk posed to the organisation. In addition, CISOs should understand each data point’s impact on larger business KPIs and objectives.
Following a risk-based approach to reporting can help CISOs demonstrate the effectiveness of their programs, advocate for new initiatives, and improve overall security.