From dealing with an extended attack surface, to establishing secure connections for the newly-minted remote workforce, CISOs tackled a lot of curveballs in 2020.
As CISOs continue to work on thwarting evolving threats while taking on a wider set of critical responsibilities (studies suggest security leaders now influence over 90% of board and management decisions), a recent statistic caught me by surprise:
Only 12% of CISOs are considered "highly effective.”
I found myself wondering: What makes a great CISO in today’s evolving business — and threat — landscape?
After a brief chat with our own CISO, Lenny Zeltser (also a SANS Faculty Fellow), I wanted to highlight four key attributes of an effective CISO:
- Strong business acumen
- Ability to empathize with others
- Robust communication skills
- Strong technical background
“It used to be you could be a technologist, and focus on scanning for vulnerable systems and doing code reviews. But now CISOs are expected to be a business executive,” Lenny said.
“A successful CISO right now, and certainly in the longer term, has to be both a business leader and a technology leader. And that makes it hard — being good at both.”
Strong Business Acumen
To be successful, CISOs need to move away from threats and tech-focused conversations to discussions about how security initiatives are aligned with their organizations’ business goals. There are scores of articles, studies, and blog posts on why the future belongs to the business-aligned security leader.
But what’s the key to becoming a business-aligned CISO? It’s having strong business acumen.
By 2023, 30% of a CISO’s effectiveness will be directly measured on their ability to create value for the business. Having a deep understanding of the business and its goals is imperative for CISO success.
CISOs must embrace a business mindset to stay relevant, or they risk being replaced by more forward-thinking players. Exhibiting a strong business mindset helps CISOs connect with colleagues outside of the realm of technology, and facilitates business-focused conversations.
Empathy-based Interaction With Stakeholders
Top-performing CISOs regularly meet with three times as many non-IT stakeholders as they do with IT stakeholders, according to Gartner. Effective CISOs also acknowledge other business unit leaders as key partners.
This means CISOs will prevent themselves from connecting with the rest of the organization if they speak solely on a technical level.
A key ingredient for relationship-building and effective interactions with stakeholders? Empathy.
“You need the ability to empathize when you talk to other stakeholders. Understand what’s important to them and talk on their terms. But use those interactions to drive your priorities, too,” Lenny said.
“The alternative would be to beat the drum of, ‘Security is important, compliance is important.’ Which is a thing that CISOs perhaps should do, but you have to do it on others’ terms if you want to persuade them.”
It’s important to realize these stakeholders care about their own agendas. Understanding their goals, priorities, and hurdles will help foster meaningful, productive conversations.
Strong Communication Skills
The ability to communicate effectively is key to being a good advisor and strategist. With the CISO role rapidly evolving, the need for articulate leaders who are deft at effective communication is more important than ever.
“To me, it’s such a baseline requirement. You have to be able to communicate with technologists and with non-technical people alike,” Lenny said.
Effective communication for CISOs means minimizing esoteric jargon, tailoring conversations for the audience, explaining cybersecurity strategy in clear terms, putting threats into business context, and effectively leveraging different communication channels. From presenting to the board, to interacting with highly technical staff, good communication skills help CISOs tailor their message.
Technical Prowess
Aside from business acumen, another core trait of a successful CISO is a strong technical background.
In a recent interview with Security Insiders, Lenny highlighted how CISOs need to understand the various technologies that power the organization. This enables them to craft the right security measures and offer stakeholders guardrails for making informed risk decisions. CISOs also need to be cognizant of the hardware and software stakeholders use, he added.
With the business becoming increasingly tech savvy, a solid technology foundation for CISOs has become a key requirement.
A strong tech background pays off as CISOs work closely with super-technical people in the security and IT departments.
“I’m seeing an industry trend, which is the result of a lot of technologists having entered the security industry 10 years ago,” Lenny explained. “As these people move up in their career, they are inevitably moving up in management. So, right now, the people who are going after CISO roles, or head of security, or director of security — they are technical.
“I think that creates competitive pressure on those CISOs who don’t have a technical background.”
To sum it up, here’s an excerpt from Lenny’s blog:
“In the world of information security, there is a growing need for people who know how to communicate, empathize, and talk the language of their non-security colleagues.”