Cybersecurity And The New CISO: The Leadership Enigma

October 16, 2018

Originally published by Forbes


As chief cybersecurity advisor, I regularly receive requests from recruiters working in the field. Acknowledging the economic forces at play, I appreciate that global demand for cyber professionals exceeds supply. Add to this the increasing rate of organizational breaches and explosion in technology and online services, and it is easy to see why demand has spiked.

All of these factors have no doubt fueled a boom in the cybersecurity industry, bringing with it the problem of questionable leadership. There are those who aspire to be cyber professionals, who may even have an IT background but do not have the necessary knowledge, experience, training and time at the coal face in cyber roles. Put simply, they lack good pedigree. The next time someone wants to talk to you about “risk,” ask them if they have ever conducted a threat risk assessment or managed incident response. More than likely, the answer is no.

How do we get the right cyber leadership?

Let’s first consider this through recruitment of a key cyber role — the CISO (chief information security officer).

Recruitment needs to start with well-constructed job descriptions and criteria. CISOs need to be able to develop and set strategic direction for cyber risk and information security. Their areas of responsibility should include:

1. Risk management/risk culture.

2. Documentation standards.

3. Relationships and communication — in particular, with senior management and industry.

4. Incident response and business continuity.

5. Third party management.

6. Compliance activities.

7. Technical capability and delivery.

A must-have requirement is the ability to maintain a current understanding of the cyber threat environment for their industry and related laws and regulations and the ability to translate that knowledge to identify risk and develop actionable plans to protect the business.

Similar challenges exist for project manager (PM) roles. A good PM can make a significant difference to the timely delivery of a cybersecurity, project ensuring it is within budget and delivers the intended outcome.

Along with project management ability, the PM needs acumen in IT and cybersecurity. This should be mandatory. Many PM job descriptions now explicitly specify such things as:

• Technical knowledge of ICT infrastructure (software and hardware) and experience with toolsets used by ICT organizations in the security, management and delivery of their services.

• Extensive understanding of ICT concepts and the system development life cycle management methodologies, including experience with agile application development teams.

Developing job criteria can be a challenge, but there are now a number of recognized national standards to help.

The Institute of Information Security Professionals Skills Framework (IISP) was developed in collaboration with public, private, academia and industry security leaders. The framework uses a consistent language in describing the range of competencies expected of information security and information assurance professionals in the effective performance of their roles.

The National Cybersecurity Workforce Framework is part of the National Initiative for Cybersecurity Education (NICE), and NIST Special Publication 800-181 framework categorizes and describes cybersecurity work through the use of several components, using a common language.

Another tip in recruiting is the interview panel. It must include members who understand the specialized field within which they are interviewing and filtering candidates.

What makes an effective CISO?

To be effective, a CISO needs to have both a blend of technical knowledge, business acumen and cybersecurity skills, and an appropriate position within the organization that allows them to deliver on their mandate.

The CISO needs to be able to execute on all fronts of cybersecurity practice, through using their business and security acumen. They also need to incorporate prudent risk management through building and delivering on a risk-based portfolio strategy (including prevention, response, mitigation, insurance and measurement) or business-driven security. This means looking at the organization’s portfolio of risk and determining how cybersecurity plays into each risk.

While I am a big fan of qualifications and certifications, I also believe that informal qualifications are just as important — as long as they are relevant. The qualifications that go into a well-rounded CISO are a blend. Many organizations now require some baseline degree in a relevant discipline along with a range of hard and soft skills. Hard skills can include security concepts (authentication/authorization, operating systems, DNS routing), risk assessment methodologies, network architecture and compliance standards (such as PCI, NIST, GDPR), to name a few. Soft skills such as communications, interpersonal/negotiation skills and strategic planning are now hugely favored.

To effectively influence change and set direction in support of real business objectives, the CISO should be elevated to the equivalent of the CIO. Conflicts of interest aside, I have seen many times when the CISO role falls under the CIO, and their focus is diverted toward plugging security gaps and never actually leading and planning for the future. Moving from problem to problem is an indicator that the organization does not have a mature risk management culture.

The New CISO

The new CISO must know how to quantify risk and understand business as well as cybersecurity technologies. They should have a passion for technology and security. They need to be a champion, educating the organization about the latest security strategies, technologies and methods.

They are no longer just the keeper of secrets or guardian at the gate. They are integrated into the business and taking a risk-based detective/hunter-style approach.

As the CISO role evolves from exposure mitigation to incorporating broader business risk management, the cybersecurity apparatus must also change as well. This means that certain traditional security tasks should move into operational IT areas. Risk management/risk culture through data capture and analytics should become the core functional capabilities.

This will mean having to retool/rekit your organization’s skill set to support more analytical thinking and promote a greater awareness of operational risk management.

The mission today is beyond just exposure and encapsulates everything from protecting brand and reputation, revenues or market share to enhancing shareholder value. This is how you evolve from a compliance-driven model to an intelligence-driven, agile model.

Related Posts