A great chief information and security officer or CISO is a highly sought after person, probably because the role combines great technical skill with great management and great personality. Finding someone with such all-round skills that can also fit into the company culture is like finding a needle in a haystack. This difficult to hire for position is made even more difficult for companies who separate the role into chief information officer (CIO) and chief security officer (CSO). Now you need two great people.
After the Equifax breach, the Equifax CISO had a host of negative backlash for having a background in music, but it’s very clear from the responses in the infosec community that a truly great CISO doesn’t have to have a degree in cybersecurity; they just need to know their stuff. And if they know their stuff and they’re a great leader, they can minimise the risk of a data breach tenfold.
So, what makes a great CISO? Whether you’re asking the question because you want to be the best CISO yourself or because you are looking to hire the best, no one is better placed to give us the answer than cybersecurity professionals themselves. I couldn’t write this blog on my own, so I have to thank the IT Security professionals who contributed and helped us define the top seven traits of a CISO.
Be Friendly and Approachable
A CISO should have the ability to closely listen and be ready to speak with anyone in a friendly approachable manner. Ability to make risk-based business oriented decisions and ability to execute them is also important.
Christos Syngelakis, Motor Oil Hellas - Greece
Being a CISO is a stressful job, but it can be a lot more stressful when they aren’t getting any feedback or communication from colleagues. Being friendly and approachable will mean getting some stupid questions, but it will also mean that when something big happens, people won’t be afraid to approach their CISO quickly about it.
Being friendly and approachable also comes hand in hand with being a good listener. Part of a CISO’s job is to listen closely to colleagues and superiors, understand their needs and projects and make decisions that will minimise risk and impact to the business. We’ll touch on being friendly and approachable again, as I feel like this works hand in hand with other important CISO qualities.
Ability to Speak in a Language the Board Understands
A great CISO lives and breathes the daily battle against attackers from all sides. S/he hires the best and brightest and gives them the tools they need to do their jobs. S/he communicates regularly with the board of directors providing actionable metrics. S/he never sugar coats anything.
Richard Stiennon, Blancco Technology Group - US
Part of a CISO’s job is communicating directly with the board. That will involve reporting on progress, grovelling for money to make even more progress, ensuring the company’s data security goals and objectives are being met, and being able to explain why if they have not. Unfortunately for the CISOs, boards generally don’t speak “infosec”. So, their job also means translating their requirements, goals and reports into digestible chunks that a board of directors can fully understand.
Combining this skill with the prior skill of being friendly and approachable, CISOs can use their skills to build good relationships with the board. Over time, their relationship with the board can turn into something more honest, open and frank. The board will learn to put more trust into the strategies, suggestions and requests made by the CISO in return. But this doesn’t happen overnight. A CISO needs to have the right personality that will allow them to build this trust over time.
Ability to Align Security with Business Goals
A great CISO understands that their role is to not control the business but to enable them to do what they need to do in a reasonably secure way. Great CISOs align their programs with the mission values and purpose of the larger organization and understand how to communicate with business leaders in ways that are culturally aware and enable those leaders to make effective decisions. Great CISOs hire great people and trust them to do their jobs while the CISO does their own job.
Martin Fisher, Northside Hospital - US
An important aspect of being a CISO is to remember that they can, if they really want, create a super vault, unbreakable and un-hackable, where information cannot escape. But this vault is probably going to impede the business from making money. After all, a business needs information to flow. A great CISO will always be playing a balancing act between what is good for security and what’s good for the business.
A business is first and foremost about creating wealth through its products and services. If a CISO cannot look at the bigger picture and align their objectives to the overall business goals and mission, they will be set to fail. Culture plays a big part in this if processes need to be changed. Who does the CISO go to? Who is going to be affected? People need to be part of this decision making process and that requires them to be approachable and friendly – there it is again. Creating a culture of change is not easy and requires plenty of this next quality.
Patience
A great CISO is a master of social engineering. Changing everything in an organization, from its risk tolerance and security culture all the way down to its processes and code, takes years of patience and cunning. It is not a job for the faint of heart.
Wendy Nather, Duo Security - US
Being friendly and approachable is seemingly having an impact on all qualities of a great CISO. It’s something that Wendy Nather, from Duo Security, calls being a “master of social engineering”. A great CISO needs to know how all the pieces of the puzzle fit and they need to work out new ways of making them fit that have the smallest impact on everyone’s jobs.
But most importantly in all of this, they need to understand that change in any organization is not an overnight story. It takes many years to make visible and long lasting changes to a company culture. They need to be strong and stay with it because if the leader of change gives up, sure enough the rest will follow.
Recruitment and Talent Management
A great CISO has a full understanding of how their environment works. They have chosen the appropriate IT staff to ensure the highest level of protection and work through projects in a security first manner. Security should be their number one priority.
Dylan Kavanagh, Bank of Ireland - UK
With CISO responsibilities covering a large scope, they will likely have a million things going on. This is where reliance and delegation to a team become important. A great CISO isn’t afraid to hire more technically talented than they could hope to be. They fill their team with great thinkers who are results-focused and the puzzle pieces will fall into place with good management of those people.
Being friendly and approachable is important here too. They’re a boss. They need their staff to rely on them, like them and want to work for them. They need to make their team and workplace structure into something that competes with companies around it because cybersecurity talent is hard to find. The truly talented people out there have options. A great CISO need to give them a place to work that they don’t want to leave and are willing to refer friends and ex-colleagues to join when there is a vacancy.
Risk Awareness
A great CISO is risk aware, in touch with industry direction and has ability to translate into business impact and requirements in a simple and safe manner.
Andy Martin, Standard Life Aberdeen - UK
If the chief marketing officer wants to implement a new tool that’s going to save thousands and improve efficiency, a great CISO might choose to do some analysis on the tool to see how it will fit in the current infrastructure. Does the data flow make sense? Is the tool secure? Is the third-party vendor secure? Are their data practices compliant? A great CISO is constantly looking for holes and working on ways to plug them.
A truly great CISO is always thinking about and prioritizing business risk. Where are the biggest risks to data breach, loss or theft in the business and how is the company going to minimize impact if something does happen in any one of these areas?
Organization
A great CISO has the ability to assess and prioritize appropriate assets that need to be protected. Understand and prioritize the risks to those assets. Convey those risks in terms that boards can understand to allocate necessary budgets. Identify and implement appropriate controls to protect those assets. Ability to prepare and respond to incidents appropriately. The appropriateness in all cases may vary from organization to organization.
Sarb Sembhi, Virtually Informed - UK
There’s lots to do in the world of a CISO. So much that it can be hard to find a logical way to do it all in time, efficiently and productively. That makes organization a pretty important quality of a great CISO. For most CISOs, juggling several meetings, managing a team, prioritizing risk, aligning business goals, auditing and preventing a data loss are just some of the items being juggled.
As with every high level role, there are a series of logical steps that a great CISO can take when starting off in the role. Sarb Sembhi puts it well in his tips.
- Assess and prioritize assets that need protecting – start with a data inventory. Understand how each department works, utilize the necessary tools and communicate both internally and externally. What are the biggest risks? Where do they need to make the biggest changes?
- Convey the risks to the board – they’ve done a thorough assessment and have all the necessary data to show where the company is most at risk. But how does a CISO translate this into board speak? Find a way to show how the proposed changes will justify the cost it will incur and even better, create more efficiency, productivity and therefore, more revenue for the business.
- Implement appropriate controls – work with a talented team to deliver control to those assets and keep appropriate measures to ensure that they are always monitoring, reporting and improving on the security strategy.
- Prepare and respond to incidents – be ready for anything at any time. Have a well thought out and well documented incident response that every relevant party is not only aware of but knows inside out.
- Make it fit for the organization – every company is different. A great CISO doesn’t implement something because they can or because it worked in their last company. They implement it because they know it’s the right choice for that company. Create a strategy that moulds to the company’s needs; that way it will last longer and work better.
There you have it. A quick guide to being a great CISO, created by great CISOs. If you have any ideas of your own you would like to share and add, you can start a conversation with us on Twitter or use the comment section below.