How to build a better CISO
The technology industry has long been categorized by its ability to transform at the blink of an eye. If you think back 20 years, the internet was just picking up consumer momentum and now nearly every household device is Wi-Fi enabled. Naturally this rapid adoption of emerging technology has shifted other IT markets such as security. As a direct result the IT industry has seen existing roles alter and new ones emerge, such as the CISO.
The CISO, a title skyrocketing in popularity, is now an essential part of every organization. Companies that aren’t employing a CISO need to embrace this position (and in some states quickly if they don’t want to be fined). As threats become exponentially more elaborate and the world becomes more connected the need for CISOs is undeniable.
Even if a company is based in a state where it is not mandatory, not having a CISO could be a clear indicator to a prospect or customer that security is not being taken as a priority. But with the increase in security threats and the business implications they raise, one question remains unanswered: what does it take to be an effective CISO?
Understanding risk
The CISO is a holistic position in terms of visibility and responsibility. A CISO must possess a holistic view of the repercussions of information security risk on a company’s top and bottom lines. CISOs require hands-on experience in multiple facets of an organization to build this view and to understand security risk, couching it in business terms. This includes experience in technical departments such as IT operations, a good fundamental background in security operations and risk management, and a leadership role in directly involved in the business.
Aspiring CISOs must touch or experience everything that a business must offer to fully grasp the business’s scope. CISOs then must possess a clear understanding of how security and risk affects an organization to succeed.
The intersection of business and IT
Ultimately the CISO must be able to translate security risk into business terms that can be understood by the entire management team. Security is a subject best attacked at a high-level, that way buy-in to security standards doesn’t take so long that it leaves businesses open to additional vulnerabilities.
Despite the technical understanding of security that is required to be a CISO, the job isn’t all technical skills. CISOs are members of the executive management team because of this they must hold a firm understanding of how to lead and inspire a team. They also, must be able to present the security and IT teams ideas to the other members of management to ensure full support for the company’s security strategy.
One example that comes immediately to mind is the infamous Heartbleed zero-day vulnerability that came out a few years ago. The Board of Directors did not need to hear that “the OpenSSL library suffers from a buffer over-read”. What the Board cared about was the fact that sensitive documents regarding an impending merger or acquisitions, for example, might be compromised because of Heartbleed.
The impact to the bottom line is what the Board cares about, and the technical details matter only insofar as they can better explain the business problem. The business problem comes first, in other words, with technical details supplementing.
Of course, many companies have embraced cybersecurity for years either strategically or out of necessity. There are many veterans – even though they are hard to come by – and a number of qualified individuals that need a chance to develop their business and management skills.
The security world isn’t slowing down, neither is the speed of business. Companies would do well to get ahead of a potential shortage of CISOs and ensure they’ve got one with all the right pieces. If not, they’re putting themselves at a high risk for a breach.