Click to learn more about authors Steve Moore and Brian Haugli.
The role of Chief Information Security Officer (CISO) is among the most coveted leadership positions across the security industry. As with any senior role, it brings with it opportunity, big responsibilities, risks and rewards. But from a CISO insider’s point of view, what are the key qualities and attitudes needed to get hired, succeed and be happy in the job?
Understand the role
First and foremost, CISOs have to understand the business they are there to protect, and the foundation of that is clarity around the motivations of its leaders. Important questions to ask leadership are, ‘why are we in business, what are we trying to defend and what is going to be a bad day for us from a security point of view?’.
It’s surprising how many organizations don’t have clear answers to these questions, and always interesting to talk to different internal teams to discover the many, again often different, answers provided in response to the question ‘what are the business objectives for our company?’
For instance, sales will often give one answer, engineering will offer another and legal might go in a different direction. That can be challenging for the CISO because business functions need to be aligned and pulling in the same direction.
But once that understanding and connection has been established, following the mantra, ‘I can’t defend what I don’t know doesn’t exist’ is a great basis to dig deeper and define the practical scope of the role.
Trust your team and learn to let go of the detail
There are many CISOs who, having come up from the ranks, are technically very capable and struggle to let go of the details. It’s an important transition to make, as CISOs shouldn’t have the time to be hands-on. Tackling new responsibilities such as building cross-functional alignment, building out the strategy, developing a security program and mentoring colleagues all require stepping away from technical consoles.
Similarly, a well-rounded CISO shouldn’t focus too much on a small range of security specialties – they need to be open to the ancillary spaces within security, such as human behaviour, necessary soft skills, budgeting and even the legal side of the role. Then work to pool that information to help round out their skillset.
A self-aware CISO will also acknowledge that after a certain amount of time in the industry, they may not be the freshest on the latest technologies or software. The newer, younger generation coming in fills that gap. The solution is to bring good people onto the security team, build trust and allow them to do their jobs.
Be the honest broker for security in your organization
The CISO must be an honest broker and the arbiter of truth for security in their organization. It’s incumbent on them to help align security priorities with business priorities, and often explain them in non-technical terms to a non-infosec audience, particularly at a board level.
This means delivering the right message to business leadership and making use of the learning opportunities that come from candid discussions about security. That’s important because the information provided by the CISO may not always be positive, but it has to be something they can stand behind as a leader for security.
Being an honest broker is all about transparency and integrity. The CISO must protect and showcase those attributes to build the trust necessary to do their jobs effectively.
In the same way, the spirit of honest, open communication should be applied to coaching teams, driving initiatives and programs in what is typically a high stakes environment.
Recognize and manage the stress that comes with the job
The CISO role is a highly responsible function that can bring with it significant levels of stress. Those pressures can range from the daily expectations of the role and the need to demonstrate technical prowess, to crisis situations when a security incident has an impact on the business.
Talking about the pressures with peers or professionals is one way for CISOs to maintain a healthy balance both in and outside of the security cauldron. In every job – whether it’s working as a CISO or any other role, the basics are key: eat well, exercise, get fresh air. While those suggestions might seem simple, they’re an incredibly important part of managing stress.
It’s important for everyone to make sure they monitor, understand and manage their well-being – both mental and physical – to stay healthy and ensure their performance remains at the levels required, and CISOs are no exception. Managing stress is no less important than any of the other skills a CISO needs to learn.