The range of skills required to work with different stakeholders is placing new demands on Chief Information Security Officers (CISOs). A new survey out today drives home this point, pointing to the need to communicate with a wide range of people both internally and externally, while demonstrating good Emotional Intelligence.
CISOs and other security professionals can have a reputation for being spiky and unapproachable and an -- often unfairly gained -- aura of being business blockers. In a series of 23 CISO interviews a new report backed by F-Secure captures a snapshot of how this role, traditionally treated as as technical one first, is changing.
Among them was Scott Goodhart, a former Marine Corps officer who as CISO ran global cybersecurity governance and oversight for energy firm AES across strategic business units in 15 countries.
Now retired/a CISO Emeritus, he told The Stack: "If you really love technical and you don't want to step away from configuring firewalls, don't be a CISO, because you are going to be very, very, frustrated!
"I think what's needed these days is someone that can communicate very well, tell a story, be a good leader and a good listener.
"That is a lot [to ask]. But in my career I've really seen that shift from CISOs being a pure technical person, to a person who needs to really be one of the company's leaders and help it to achieve its business objectives. You need [as a CISO] to hire the right people under you that can handle some of the technical details, because more and more now, you are going to have to communicate at a much higher business level, to whether it's a government regulator, or a board member."
F-Secure’s Tim Orchard, Executive VP, Managed Detection and Response, agrees, noting that although the shift to relying more on ‘soft’ skills began years ago, as the demands to be a better business advocate grow, so do the needs to play the role of a bridge between the C-suite/board and technically gifted teams keeping companies secure.
He told The Stack: "A lot of security professionals have very strong opinions, they see the world in a very black and white way, and that is their strength in many situations. But what they really get worked up about is when they don't feel like they're listened to.
"They don't always want you to agree with them, but if you patronise them, if you don't make time to listen to them, then you lose their trust. I think that's probably one of the most important things I've learned in managing many gifted technical people over the years. I used to think, 'well, I understand the technical stuff, so they respect me for that' but I don't think that's true. You earn respect when you take the time to listen to your team and make them feel heard."
The report -- "The CISO's New Dawn" - also found that CISOs were "generally prepared to accept they will be held to account for many things beyond their control, such as the shadow IT implemented without their knowledge, and the reluctance of other peers to accept their responsibility of understanding the impact of cyber security within their roles. They were adamant that this is something they are addressing to be a more conscientious Emotionally Intelligent CISO using these new skills to engage wider across the business."
Importantly, as Goodhart adds in the release, “for companies, the technical aspects related to cyber security risks have become indistinguishable from other business risks. It just doesn’t make sense to treat attacks as only an IT or cyber security problem if they can potentially cost companies thousands or hundreds of thousands of dollars due to downtime, extortion payoffs, stolen intellectual property, etc. Technical-only CISOs have become a thing of the past and replaced by a role that’s explicitly relied on to address risk in a much broader, holistic way.”
That should also give thought to those seeking to nurture future CISOs in their organisations. As Tim Orchard puts it: "We need to look for people that can move on from being an operator of the technology to look at bigger operational problems. Some people are brilliant at 100% head-down work. But you might also have people who are 'okay' technologists, but have the skills to be a brilliant consultant or indeed CISO."
And indeed, a good listener. With demand for skilled security professionals never higher yet rates of burnout also increasingly obvious, while the report's focus on emotional intelligence looks like a PR gambit (congratulations, it worked) it's also an important one. Security is a highly pressured role, in a volatile environment rife with bad actors, where getting it right goes unrecognised, but getting it wrong can result in devastating business impact. Getting the most out of a team means having a CISO who is sympathetic both to interpersonal concerns, and those of a business and its board. CISOs, are you pulling it off?
