All of us know what a Chief Information Security Officer (CISO) does from afar. A CISO upholds the organization’s overall security by overseeing the operations of the IS practice, the IT security department and related staff. In this capacity, those who become a CISO attain the highest paying job in information security, as it carries the associated responsibility of enabling business in a fast-evolving threat landscape.
But is there more to this job than that description is letting on?
To find out, The State of Security reached out to several CISOs to discuss what the job entails in practice. We also asked them to identify important qualities that a modern CISO needs in order to be successful. Their responses help to illuminate the realities of working as a CISO and how this position has changed.
More Than Just ‘Cyber’
The position of CISO does not solely uphold security within the “cyber” space. Its scope is much broader than that. Lou Klubenspies, senior director, IT risk management & CISO at PerkinElmer, Inc. makes this point clear:
For most people, sayings like “CISOs prevent breaches” “CISOs defend against hackers” feel about right. People also believe that CISOs accept or sign off on cyber risk, but in fact, they don’t (and shouldn’t). A CISO’s job is to identify and highlight cyber risk to the business and then to build and operate an information security program that aligns to the organization’s risk tolerance. Cybersecurity is only one facet of it. The role is really about risk management in general; it often includes things like compliance risk and physical plant security, as well.
CISOs are ultimately responsible for managing these and other projects. They won’t get the job done with just technical expertise, however. On the contrary, they need to exercise strong leadership skills in order to unite everyone around the organization’s security efforts.
Christian Toon, CISO at Pinsent Masons LLP, feels that these leadership qualities should be getting the most attention—even more than the title of “CISO” itself.
“CISO as a title is sometimes overrated,” he explained. “Some organizations have them. Others don’t. Others have other roles with the same responsibilities. In general, focusing on CISOs alienates a big proportion of our community. I prefer the term ‘security leader.’ We exist at all levels across the industry, and it’s these leaders of today and tomorrow who need to focus their skills on the following principles: communication, the ability to transverse organizational structures and speak to everyone from the CEO to the receptionist; humility, the recognition that information security is a team sport that security works best when people get together; and risk management, the understanding of your organization’s security risks and the application of this knowledge to figure out ‘how much is enough’ security, thereby helping with the management of stress.”
Teamwork: The Proper Reflection of Security
If they are to be proper leaders, a CISO needs to be a people person. They need to be able to speak the Board’s language and frame security threats in terms of the business. But they also need to understand how the business works so that they can call upon the most vital business asset: people.
Ron Solano, data security officer at OptumInsight of United Health Group, couldn’t agree more.
While it’s important to understand technical issues, the CISO needs to translate that into easy-to-understand communications. (By contrast, a non-technical CISO needs to have people under him/her who can do the translation so that the message is understandable.) CISOs need to reach out to the business side more often to foster a true working relationship regarding the “business.” As an example, being able to handle ransomware is critical because the business needs to be ready to handle that fight in a manageable manner and avoid chaos. Work together for more desktop exercises, together as a “TEAM.” Some CISOs are in a “see ya” mode, which is not good as it’s a poor reflection of security.
CISOs need to be visible so that they can lead the charge in strengthening the organization’s security posture. If they’re not, they won’t be able to see how things are changing on the ground. Such negligence will limit their ability to best serve their organization’s evolving needs.
“CISOs increasingly are a mixture of security practitioner, business enabler and governance evangelist,” observes Klubenspies. “At the same time, the lines that used to separate Cyber, Legal and Privacy have begun to blur. These three areas must work collaboratively if cybersecurity challenges are to be effectively addressed. Many CISOs either ‘came up’ through Cyber or Governance and Compliance. Therefore, in some cases, they are and were technical, and in some cases, not so much. What’s most important is that you build a team that fills in the gaps in your own experience or knowledge. If that happens, whether you are or aren’t technical isn’t as much of an issue. It goes without saying that no matter what, you still have to be able to understand the concepts and speak intelligently about them if you hope to be effective.”
Toon thinks that building a strong team goes beyond filling in gaps in their own understanding. He also thinks that CISOs should be concerned about the overall welfare of their team members. This is especially true during COVID-19:
During the pandemic, more than ever, it’s been about our people. It’s been about making sure that everyone’s mental and physical wellbeing and health are a number one priority. To paraphrase Richard Branson, ‘Security threats don’t matter. Your security team does. Take care of your security team, and they will take care of the security threats.’ I’m fortunate to have a fantastic team, and we all work together to solve our problems.
For guidance on how CISOs are working together with their teams to specifically solve the problem of remote work during COVID-19, click here.
Authors note: This blog was co-authored between Mitch Parker and Joe Pettit.