What does it take to become a Chief Information Security Officer (CISO)? There are multiple answers, because it’s a multi-faceted role. Each person will bring a unique set of experiences to the job and there’s no clear-cut path or resume that defines the steps you must take to become a CISO. Yet, there are some common themes that emerge in looking at the type of person and personality required to hold the job title.
The abbreviation itself is revealing. First, take a look at the “C” in CISO. You’re the chief, the one in charge. Being CISO is a position of authority and responsibility. The security of digital assets, some of which are valuable and may come with legal strings attached, is in your hands. As anyone who’s ever flown a plane or performed surgery will tell you, the acceptance of singular responsibility for one’s decisions is not to be taken lightly. To be the CISO, you have to be ready to shoulder this burden.
Then, there’s the “O.” You’re an officer. Maybe your organization doesn’t have official designations like that, but as the CISO, you are acting on behalf of the business or government entity that employs you. You have an obligation to the owners and senior leaders of that entity. With this overview in mind, here are some specific qualities that define a successful CISO.
A Disciplined, Data-Driven Sense of Security Risk Awareness
Managing security risk is one of the CISO’s core responsibilities. It’s impossible to mitigate every risk equally. Instead, as the security leader, your job is to assess risks and guide the allocation of resources to address them in an optimal way. This is a monumentally difficult thing to do well. However, with discipline and a data-driven ethos, it is possible to keep the impact of risks to a minimum.
In practice, managing risk is about prioritization. The CISO must constantly ask him or herself where the biggest Infosec risks to network penetration and data breach will come from. From there, a good CISO builds an organization that can respond to breaches and other security incidents. The overriding goal of the incident response process will be to limit the impact of the risk.
You have to have the “chops” for the role, too. You need to be a security expert. This is the “IS” in CISO. Perhaps you have the Certified Information Security Auditor (CISA), Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM) credential. You need to understand data security, operating systems, security systems, new technologies, security architecture and more. To be a successful CISO, you have to be a master of risk assessment.
The Ability to Align Security with the Business
Coming back to the “O,” an effective CISO understands that his or her job is not to stand in the way of the business, but rather to enable the organization to achieve its business goals—securely. The “officer” role carries the connotation of fiduciary duty. The CISO is a corporate officer tasked with protecting shareholder assets from cyberthreats that can reduce their value.
Doing this right involves finding a careful alignment between security policies, security technology, risk management and business administration in the security program. It’s a balancing act, getting at the right mix of caution and flexibility. Communication is also critical, as the CISO must find meaningful ways to convey the security message in a business- and board-friendly way.
This is why some of the best CISOs strike a balance between business executive and technical security manager. They know how to work with the board of directors. They don’t sugarcoat problems, but neither do they sound alarms without careful analysis of the business impact of a threat.
A Suitable Personality and Management Style
If you’re the CISO, you are above all, a manager. In a big company, this might mean overseeing a staff that numbers in the thousands through trusted direct-reports. A CISO should ideally embody good listening and communication skills. It’s more balancing, with the CISO needing to be approachable and open to input while remaining firm on critical issues where compromise is unwise. If the job requires change management, this is all the more important.
The CISO management style also requires being open to hearing feedback from colleagues, even if it’s not entirely positive. One of the most basic qualifications for a CISO is an admission that he or she does not know everything. If you’re in the role, you’ll be relying on trusted experts from inside and outside the organization. However, you’re the “C,” (chief) so the ultimate call is yours to make.
Strong Organizational Skills
A successful CISO has strong organizational skills to complement his or her management style. The challenge of operationalizing security policies takes a manager who can translate abstract, sometimes complex ideas, into actual organizational activity. This is a distinct personal trait the CISO must possess Or, at the very least, the CISO needs to understand how to delegate the organizational aspects of the job to people who know how to get things done.
Achieving this objective comes from understanding how the complete security environment works. The CISO must have a keen appreciation of the processes and technologies that are in use in the security organization, along with the nature of the IT landscape itself. And, it takes a great sense of who’s who, who does what, and who needs to be hired.
Recruitment and retention of security talent is a highly significant success factor for the CISO. It’s partially an organizational challenge. Finding the right people is not easy. But, it’s also a cultural matter. When a prospective employee says “I’m not sure I want to work for them,” that means “you.” You’re setting the personality for the department. Recruits will respond to the culture you create on the job.
Being a CISO is one of the great career experiences in the tech world. The rewards are potentially great, but so are the risks. The qualities highlighted above offer some insights into how to become a CISO. Are you up for the challenge?