As businesses evolve so does the role of the CISO, with security leaders needing to stay one step ahead of the game to ensure they meet the varying demands of the board and communicate risk and intelligence in a meaningful way, along with implementing all of the aspects required to build the very best holistic security infrastructure possible.
So how do CISOs go about doing this? What skills do they need to possess and, perhaps more importantly, develop to be a successful leader and help protect an organization’s assets against an ever-changing threat landscape?
At Infosecurity Europe 2016 an impressive panel of renowned security leaders – hosted by Adrian Davis, regional managing director at (ISC)2 – sat down to discuss the role of the CISO, sharing their invaluable insight from their time in the industry.
“Let’s think about the CISO role right now,” said Davis. “What are the skills of a CISO today?” he asked.
“I think one of the most important roles of the CISO is to be a business-facing person,” answered Lee Barney, head of information security at Marks & Spencer. “We sit in a very technological environment and we see lots of tools, technologies and attacks, it’s quite easy to get bogged down with all of these things. So, if you are the sort of person who can relate security issues to a non-technical audience, that’s the most important factor,” he added.
Mark Hughes, president of BT Security, said that the CISO of today needs to demonstrate four key leadership qualities.
“The first one is being extremely results-orientated,” he explained. “That means we have to be able to agree and understand what we are trying to achieve and be focused on achieving it. The second is being very good at high-quality problem solving, and that’s not easy. Thirdly, is being able to get and garner multiple perspectives, which is so important in what we do – managing our stakeholders, seeing things from other people’s perspectives so we can then craft solutions to complex problems. Finally, and probably most importantly, is being able to build and support strong teams around us.”
Moving the conversation onto how to gain and develop these types of skills, especially if they don’t always come naturally, Davis asked the panel for their thoughts on the best ways of going about this.
“For those that aspire to be a CISO but aren’t quite sure if you are a natural leader, then the easiest thing to do is go and talk to people in your business,” said Barney. “I advise to get involved in the very fabric of the business – make friends and colleagues outside of IT, that’s the way you get to understand and position yourself for feeding things back to them in a way they understand.”
Cory Scott, CISO at LinkedIn, explained that there are a lot of different ways to be a successful leader, and it’s something that comes down to a focus on developing the skills that are best suited to you as an individual.
“I’ve met most individuals that have different aspects of leadership that can work well. You have people who are really good at managing or leading a team, for example; you have other people who are very good at working with their peers across different parts of the organization; there are others who build leadership through technical subject matter expertise. So, there’s a lot of different ways to be a leader, and almost everyone that I’ve encountered can develop at least one of those three areas of leadership.”
“Is there a ‘secret sauce’?” asked Davis. “Or is it just a case of getting out there and working and learning side by side with other people?”
“I think one of the other important things is relevance; how we make ourselves relevant,” answered Hughes. “If you go and ask anyone you know outside of this room – friends or family – about information security they will probably be quite petrified. The reality is there’s a really big understanding gap and a real thirst for knowledge, and at BT actually just helping people across our business and giving them a bit of knowledge about keeping themselves and their families safe online really helps.”
In terms of creating that relevance in your network, Hughes continued, look at other risk areas; find those other areas and examine how your business managed to work through those and translate them, then use that knowledge and language in the cyber world to make it more relevant.
Security director at Trainline Mieke Kooj agreed, stating that relevance is very direct and can vary depending on the shape and size of your organization.
“Is there a way that stepping out of your comfort zone helps you create or learn more skills and become a better leader?” Davis asked.
“I’ve made a conscious decision to always put myself outside of my comfort zone,” said Barney. “If you imagine the first time you manage an incident, you’re probably quite worried about how things are going to go, I was when I first came across an incident. The more times I’ve managed incidents or the more times I’ve done something outside of my comfort zone, the more willing I am to go and do it the next time, the more confidence I display. That’s a fundamental part of being a leader in security, having confidence in what you do; so step outside your comfort zone at every opportunity.”
Scott added that one of the bravest things a CISO can do is simply say ‘I don’t know’.
“One of the aspects of that is that on the technical side of things the level of specialization is so high now that there are going to be areas of expertise that you’re not going to immediately have,” so doing new things to push that uncertainty away is very helpful.
In our next article, we continue our coverage of the panel as they discuss developing the CISOs of the future, assess the CISOs role in creating the culture within an organization and summarize the characteristics of a good security leader.