CISOs are expected to wear a hero’s cape and stop attacks, develop secure products and protect customer and corporate data. But that’s not their only role. Security executives are also at an organization to tell a story about the risks an organization faces and how those risks can be mitigated or eliminated. And this holds true for CISOs at any stage in their career.
Sadly, no one is going to lay out the path a security executive must take to balance these roles. But there are definite skills that can help you advance your career to the management level. These skills go beyond what’s typically expected of a security professional, such as deep technical knowledge, and include strong communication skills and having business acumen.
Of course, knowing about data science, research methods, agile development and the latest technology is still vital. But the biggest challenge (and this applies to veterans as well as newbies) is aligning information security with the business.
“The biggest problem for CISOs today, aside from their mission of protecting company and user data, is the alignment to the business. It's talking the language of the business,” said Cybereason CISO Sam Curry.
That language, he said, entails using the words revenue, cost, margin, customer satisfaction, employee efficiency or strategy when talking to any C-level executives.
“If you get into an elevator with the CEO, the CFO, the CIO, and you’re the CISO and you open your mouth and don't use one of these six words, you'll be perceived as a hobbyist. We have to translate what we do in security into these terms,” Curry said.
Security executives can’t be perceived as “geeks” when they sit in the boardroom, said Curry, adding that he’s spent “most of my life being a nerd to some degree.” Instead, security leaders need to be seen as relevant to the business and be the voice of risk in the IT stack.
“Risk is incredibly important to communicate,” he said. Business leaders want to mitigate or eliminate it while CISOs carry out this task, giving both parties common ground to develop a working relationship.
Communication is a critical soft skill that all security executives need. They could nail every other part of their position but if they can’t communicate what’s going on in their department and how it helps the business, they’re setting themselves up for failure.
“If you can't say what you're doing, if you can't socialize, if you can't build intimacy within and outside the security department, then you're not going to move forward,” Curry warned.
In other words, CISOs need to socialize. Lateral relationships matter and are critical to bridging any gaps between business and security. Establishing them can prove challenging; e-mail overwhelms us and there are meetings all day long. But the human interaction is very important to your peers.
And those relationships will eventually prove key when you’re trying to complete certain projects since the duties of a CISO are no longer restricted to setting up firewalls or network perimeter devices. These leaders are now explaining how the organization can mitigate security risks to corporate boards and working with product teams to create more secure services. Their domain is no longer the server room or a SOC. They’re now expected to interact with all departments.
“If a security department isn't well tied into its company, into its management and to how decisions are made, into the governance structure, into the culture, then it can't be effective” in its mission to reduce risk, Curry said.
Some of the people and departments CISOs should interact with include obvious ones like their boss (but many security executives don’t know how to earn their boss’ respect, Curry said) as well as product development (CISOs need to make sure that security is incorporated from the start, not tacked on as an afterthought, he said) and finance (CISOs need to get their budgets approved, too).
“Lateral relationships matter most. You're going to have to get along with the head of engineering, IT, finance, marketing, legal and many other departments. When you're trying to get things done, you're going to need those relationships,” Curry said.
Cybereason looked at what skills can help CISOs prosper in the dual role of security executive and business leader in the white paper CISO Tips: Balancing the hero with the storyteller. Read it to learn how to better communicate with corporate boards, why company culture can help or hinder a CISO and why lateral career movement outweighs simply trying to climb the corporate ladder.
And to read more about the six business terms CISOs need to master, check out the blog CISO Tips: Learning and using the language of business.