Only five years ago, the title of Chief Information Security Officer was likely awarded to an employee that had worked hard and was dedicated to the company. It was an honorific title often given as a reward. Times have changed and companies need a new breed of CISO.
The number, severity, and impacts of cyber threats are continually increasing. Companies now rely on complex highly integrated IT systems whose confidentiality, availability and integrity are paramount.
The WannaCry ransomware was a good example of how poorly managed security can cripple an organization. The National Health Service in the United Kingdom had up to 70,000 infected devices and was forced to turn away non-emergency patients. (1)
The CISO is now a senior-level business executive who can directly impact the profitability and viability of an entire organization. Instead of being a technical specialist, the CISO must now be a seasoned business leader that can become a trusted advisor to other executives within the organization.
CISOs can help maintain your brand value, help build relationships with various stakeholders, and are charged with protecting an organization's most important assets (the digital ones).
The job of a true modern CISO is getting harder by the day, and organizations need to ensure they have the best CISO they can find & afford, to guiding them.
If we agree that the nature of the CISO's role has changed and that the modern CISO is a very different creature than his predecessor, what makes a good CISO?
1 - Problem solvers
A modern-day CISO can solve complex rapidly changing problems under stress and high pressure. A CISO must enjoy solving complex puzzles while being able to juggle day-to-day tasks and driving the organization's long-term vision. The CISO must understand that every decision made today can have dramatic repercussions tomorrow.
2- The CISO must be a people person
The modern CISO is often a front-line representative of the organization to shareholders, customers, partners, and regulators. They must have the ability to build strong relationships based on trust and respect. The CISO must have the ability to communicate complex security issues to stakeholders that may not understand even basic IT. The modern CISO must be a people person. The modern CISO must lead his team with fervor and engender commitment from the security team.
3 - The CISO is a citizen of the world
Information flows without respective national boundaries, but companies are being asked to navigate complex global regulations that sometimes contradict each other. The only way a CISO can manage this increasingly complex regulatory environment is with non-traditional skills (for an IT person) that include law, business, compliance and governmental relations.
4 - The CISO must be business minded
The CISO must make security decisions based on how it impacts the organization or enables the organization to perform its primary business functions. The CISO must weight security decisions against profitability, efficiency and must build a competitive advantage for the organization. A CISO must be obsessed with efficiency and must be resource conscious (people, time and money). Gone are the days when a CISO makes purely technical decisions based on technical need.
5- CISOs tend to be workaholics
Even if work-life balance is all the rage, a CISO is always on call. Unfortunately, the bad guys never take a break and often neither does the CISO. It is common for a CISO to work long hours and weekends while guiding the organization to where it needs to go. The modern CISO is humble and respects the capabilities of his/her adversaries. A CISO must always be vigilant. A CISO is continually thinking about how he/she will keep the organization one step ahead of threat actors.
6 - Strong team building skills
CISOs work long and hard but so do their teams. A CISO must be self-confident enough to hire the highly skilled professionals the organization needs to succeed. I have met many CISOs who refused to hire employees that were more technically competent than them for fear of being replaced. This is the reflex of a "bad" CISO that doesn't understand his/her new role. A good CISO will hire the best resources he/she can find and them coach them to grow and become exceptional. The stronger the team, the better the CISO.
7 - Your CISO doesn't need to be certified
Full disclosure, I do not currently hold any security certifications but I believe I can challenge anyone that does. The CISO is a business professional with security experience, not a security professional with business experience.
You should rely on the proven track record.
The role of CISO is constantly changing, and the ideal candidate must also be constantly evolving. I have been a security executive since 2001 and have seen the role of CISO morph from a backroom function performed by geeks, to a font of the house leader that can communicate with clients and regulators. The right CISO can drive business growth while the wrong one can sink your entire organization.
Invest the time, energy and resources required to hire the right CISO for your company. If you have a CISO already, make sure he/she is the right one your organization needs right now.
(1) Ungoed-Thomas, Jon; Henry, Robin; Gadher, Dipesh (14 May 2017). "Cyber-attack guides promoted on YouTube". The Sunday Times. Retrieved 14 May2017.