Today, cybersecurity is a massive concern for businesses of all stripes and sizes. Yet, despite 95% of chief information officers (CIOs) expecting cyber-threats to increase over the next three years, only 65% of their organizations have a dedicated cybersecurity expert or chief information security officer (CISO), according to a survey from Gartner, Inc.
This is worrying. Last year, a report from the Ponemon Institute – ‘The Evolving Role of CISOs and Their Importance to the Business’ – laid bare that the CISO’s role is becoming more critical in today’s world of omnipresent cybersecurity threats, especially when it comes to managing enterprise risk, deploying security analytics and protecting Internet of Things (IoT) devices.
However, another key takeaway from the report was that the role of the chief information security officer has expanded in recent years – evolving from that of a security services manager to one that has responsibility across the entire organization. Today, the role embodies a leadership position that requires executive presence, excellent communication skills, and sharp, organized thinking. As such, chief information security officers must not only possess technical expertise and leadership skills, but also understand their company’s operations, and have the ability to articulate security priorities from a business perspective.
But what does this really mean for chief information security officers working today? What are the most important qualities CISOs need to as they work towards the integration of security in all business processes, and take the leading role over an enterprise-wide IT security strategy? Let’s consider five of the most important.
- They Must Understand the Business Mission and Align Security with Business Goals
Chief information security officers face the challenge of having to play an ongoing balancing act between what is good for security and what’s good for the business. Today’s businesses need information to flow. It’s all well and good for a CISO to create a totally unbreakable and un-hackable super-vault from which information simply cannot escape – but such a vault would likely impede the business’s ability to make money.
A great chief information security officer looks at the bigger picture and aligns his/her objectives to the overall goals of the business and its ongoing mission. They understand that their role is not to control the business, but to enable it to achieve what it needs to achieve in a reasonably secure way. This takes planning and good communication with other stakeholders in the business in order to ensure the security program is effective and properly aligned with the company’s overarching goals. Since information security is in competition with other business objectives, a good chief information security officer will ensure that the strategy is sanctioned, endorsed and formalized by an internal governance board or committee that includes senior IT and business management stakeholders.
- They Must Have Executive Presence and the Ability to Influence the Board
A big part of a chief information security officer’s job is communicating directly with the board. According to the Ponemon Institute’s study, 65% of CISOs report directly to senior executives, 60% are responsible for informing the organization about new threats, technologies, practices, and compliance requirements, and 60% serve as a direct channel to the CEO.
(Image source: interact.f5.com)
However, the fact is that the majority of board members generally don’t understand the language of information security. This means that chief information security officers must have the ability to translate their requirements, goals and reports into terms that a board of directors can fully understand, and ultimately develop credibility and trust.
This requires executive presence, which Harvard Business Review defines as the “ability to project mature self-confidence, a sense that you can take control of difficult, unpredictable situations; make tough decisions in a timely way and hold your own with other talented and strong-willed members of the executive team.” An effective CISO will have executive presence in abundance. They will use it to not only represent the company’s position regarding security matters, but also to influence other executives in a manner that is consistent with security goals and objectives, and establish and maintain working relationships with all members of the board.
- They Must Have Outstanding Leadership Skills
Good security is a team effort. It is an ongoing business process that requires buy-in from employees and executives alike across the organization. Primarily, the chief information security officer’s job is technology-based, but in many ways, success depends on building relationships, and having the ability to communicate, delegate, and lead by influence as opposed to an iron fist.
As security leaders, it’s crucial for chief information security officers to establish trusting rather than authoritative relationships with employees. Most employees won’t consider themselves to be security threats to the business. But the actions they take, their awareness of risk, and the way they use their own and the organization’s computing devices when connected to the network can open the door to cyberattacks. As such, chief information security officers do have an enforcement responsibility. Good ones, however, won’t govern by edict, but rather empower team members across the whole organization to take an active part in managing information risk.
In addition, CISOs must clearly define precisely who is involved with security-related decision making, and ensure that these individuals are also empowered and well-qualified to make business-related risk management decisions. Documentation plays a key role here in mitigating the complexity of synchronizing the roles and responsibilities between individuals and departmental units. Only with clear documentation in place will the CISO ensure that there are no coverage gaps, that security is being well-managed at all levels across departments, and that the company’s assets are protected.
- They Must Be Dedicated to Their Own Education and Self-Development
The cybersecurity landscape is constantly changing, with new threats emerging all the time. As such, chief information security officers must dedicate themselves to continuous education, and seek out sources of information that keeps them current with all cyber-threat and IT security developments.
The stakes, of course, are extremely high. Cybercriminals are constantly on the lookout for weaknesses in organizations that they can target. The goal of the chief security information officer is to keep the gap between the cybercriminals’ efforts and the organization’s security programs as wide as possible – and that only happens with continuous learning.
For this reason, chief information security officers must commit to ongoing self-development, and embark on training and education programs that bring them up to speed on emerging technologies, new compliance requirements, and the perpetual need for security improvements.
- They Must Keep Cybersecurity Ethics at the Forefront
Ethics play a crucial part of any sound cybersecurity defense strategy. Without clear standards and rules, security leaders can become almost indistinguishable from the criminals they’re meant to be protecting the organization’s systems and data against.
As the volume of data an organization collects about its customers, prospects, employees, and other individuals grows, so too does its responsibility for managing and protecting that data. Privacy is closely related to security, and chief information security officers must actively lead discussions about how much personally identifiable information (PII) is maintained and how much is anonymized. In addition, the chief information security officer should implement and enforce an ethical practice policy for IT and security staff to follow, and review this policy regularly in line with latest regulations and guidelines.
CISOs must also have a comprehensive incident response plan to put into immediate force in the event of breach. Importantly, this plan must have not only technical details of how to respond, but practical instructions for legal teams that also take into account key ethical considerations. Time is of course a huge factor in responding to a cyberattack, and notifying customers and clients about any implications – such as stolen data and credentials – should be an integral part of the response plan. Keeping the public in the dark after a breach leaves customers vulnerable, and will raise serious questions over the company’s ethical standards. When a company’s data is compromised, it may face lawsuits and reputational damage – and delaying public announcement can compound these consequences.
In sum, a great chief information security officer possesses a great leadership mindset. They are able to exert a commanding presence in the board room, communicate the security mission effectively, build relationships throughout the organization, and align information security programs with business goals. In addition, they are committed to their own ongoing education and self-development, and keep cybersecurity ethics and the business’s reputation at the forefront of everything they do. Companies everywhere today face increasingly sophisticated threats coming from a multitude of different angles. As such, a great CISO with the right skills and qualities is more crucial and more valuable than ever before.