CISOs who want to earn the trust of other executives should study the history and evolution of the CIO. When these technology leaders began to appear in organizations they had to align themselves with the business’ objectives. Failing to understand how technology could help the company resulted in the CIO being labelled a hobbyist.
CISOs now find themselves in the same role. They’re in the boardroom with peers who don't understand how security impacts them.
"One of the biggest issues we have is that a lot of what we do isn't aligned with business. We have a real role to play in enabling new ways of connecting," said Cybereason CISO Sam Curry in an interview with The Charles Tendell Show during Black Hat this week.
CISOs need to speak the language of business
Security executives aren't speaking the language of business, resulting in a failure to connect with their business-minded colleagues. “I don’t see average CFOs understanding cross-site scripting,” said Curry said.
And don't expect the CEO, COO and other executives to learn computer science. The more likely scenario is that security personnel will learn business and the language of business, which Curry condensed to six concepts:
- Revenue
- Employee efficiency
- Strategic value
- Cost
- Risk
- Customer satisfaction
Business leaders care about how security fits into and improves each of these areas. Stray off the theme of security helping business and into technical jargon and you’ll lose your audience, Curry said. For an even more detailed view of how a business work, Curry recommended that security executives befriend the CFO and ask to look at the profit and loss statement.
That’s not to say that technical knowledge and maintaining relationships with the people who carry out IT security don’t matter. CISOs need to be involved in both of those realms.
“The average security executive needs cred with the Black Hat folks. But they also need a seat at the business table and to be able to say ‘I am the source of understanding risk from the IT infrastructure perspective,” Curry said.
Soft skills matter, too
Aspiring CISOs also need to hone their soft skills, particularly around communication. Successful security executives build trust with their peers by establishing a foundation built on credibility and reliability, Curry said. Building that foundation starts with talking to your co-workers, getting to know them and understanding what their problems are and how security can alleviate them.
Finding a mentor and embracing change also helps since serving as a CISO requires constantly changing your skill set. While the natural tendency of any leader is to regress to what’s worked best in the past, that type of regression at the CISO level will lead to failure, Curry cautioned.
“At the end of the day, security is a discipline and we have to be willing to change what we know and how we approach problems. That’s why mentorship and understanding what others have done is so important.”
The notion of change invokes an emotional reaction that’s usually negative, said Curry. The adage of change is hard is true, but security leaders have experience handling situations that are less than pleasant.
“I’m not telling everybody to love change, but we have to bravely embrace it. We’ve all been in breach incidents and that’s hard. We’ve got to act like that every day.”
There's more than one path to a successful security career
Security executives who lack the required communication skills shouldn’t fret about their career prospects, Curry said.
“The ultimate goal of a security person shouldn’t only be to become a CISO. The rungs in the security ladder are big so people think they should aim for the top but that’s not necessarily the case,” he said.
Before “attempting to climb a greasy pole” to the CISO role, security executives should realize that they can have financially, socially and professionally rewarding careers without running a security department, Curry said.
Wait. There's more.
During the interview, which starts around the 15 minute mark, Curry also shared why the emergence of vendors at Black Hat isn’t necessarily a negative development (this can help security better align with business), how information sharing among organizations can help the security community (make it worthwhile at the small scale, share information that leads to results and then scale the program to include more organizations) and how vendors can capture a CISO’s attention (do your homework before reaching out).
