Today’s CISOs occupy a unique role at the intersection of security, technology, and business and are seeing an increasing number of responsibilities falling under their purview. The scope of their duties varies, but includes everything from assessing the risk of emerging cyber threats to aligning IT architecture with business needs to providing strategic counsel to the C-suite. Faced with an ever-widening list of job functions and complex and often confusing reporting structures, there’s ambiguity around exactly what skills they need to succeed and how they can best inspire and collaborate with teams across their organizations.
However, the most effective CISOs share common traits – centered around their breadth of skills, willingness to ride waves of change, and energy towards problem solving and innovation. It’s safe to expect that the hard skills needed for this role will continue to change as the threat landscape evolves and new technologies come to light. So for now, CISOs should strive for the qualities and best practices that will allow them to make an impact and connect with their teams regardless of the macro changes ahead.
Strike the right balance between technical and business acumen
The skills spectrum for CISOs ranges from extremely technical to extremely business focused. Yet the most respected tend to land somewhere in the middle – staying close to their technical roots, even as their role demands an increasingly business-oriented perspective. CISOs who skew toward one end of this spectrum at the expense of the other will have a harder time earning the credibility and trust of their peers and creating productive partnerships across business groups. If you’ve found a CISO who excels at both, hold on to them – you may have found yourself a unicorn!
While up to 30% of a CISO’s effectiveness in 2023 may be directly measured by their ability to create business value, they still need to be able to get into the weeds and deeply understand the implications of different security and IT solutions. This rings especially true as knowledge of software engineering, cloud security, machine learning, and artificial intelligence is now expected of CISOs – illustrating the “shifting left” of security skill sets. This technicality is often what helps them build rapport with teams.
CISOs should be able to defend their architecture in the here and now, but also have the technical prowess to move the organization toward its future security – and business – goals. Their knowledge needs to go beyond learning about new products to truly understanding how these solutions might benefit their business in the short and long term. That said, they don’t have to operate as a one-person island – in fact, they can and should have consistent, collaborative conversations with their peers to ask for input and ensure everyone is on the same page.
Provide appropriate guardrails, but not too many
It’s common for organizations to have reservations about new security hires, and the reason is usually twofold. First, security professionals can fall into the trap of the “smartest person in the room” mentality, putting a damper on open communication and compromise. Second, security professionals are often perceived as overly risk-averse – slowing down processes and momentum by rejecting potentially risky proposals out of hand or requiring fully baked policies before employees can proceed with anything new. These factors throw up red flags for organizations, especially startups, trying to move at a fast pace and stay agile. On the bright side, this doesn’t have to be the case – effective security leaders can run alongside their existing teams and offer appropriate guardrails, while still helping accelerate the business.
Think of risk management like surfing: you’re never going to catch a big wave if you’re sitting on shore. When evaluating the security implications of a new technology, CISOs need to learn to ride the wave by moving from the mindset of, “let’s wait until we fully understand the capabilities and implications” to “let’s codify the technology and write our policies while concurrently exploring our options.” New AI applications, like ChatGPT and other generative AI tools, present a timely opportunity for CISOs to put this approach into practice, by being cautious yet not impeding exploration or progress. As companies evaluate how to incorporate AI into various internal and external processes, and even their products, CISOs can support by providing insights into preventing data loss and using good judgment around the outputs of large language models – all while encouraging the responsible use of this new technology where it makes sense. When CISOs can show their peers they trust their judgment by only offering the guardrails most necessary to protect people and information, they earn trust and respect.
Resist complacency and seek creative ways to solve problems
Finally, with the volume and sophistication of cyber threats on the rise, there’s no room for complacency. Even when security programs are running smoothly and the seas appear calm, CISOs need to stay proactive and always be thinking about next steps and innovations. The three primary ways attackers access an organization are stolen credentials, phishing, and exploitation of vulnerabilities; so, CISOs need to stay current with these trends and find new ways to defend their data against bad actors. Doing so requires them to resist administration mode and focus instead on innovation building, asking questions like, “What’s the next big move our industry needs to make to improve these problems?” The best CISOs don’t operate within a bubble – they talk with their peers, C-suites, and broader networks about newer, faster, and more effective ways to approach their role and responsibilities.
By keeping these tips in mind, CISOs will be better equipped to balance risk and opportunity and be brought to the table earlier in decision-making processes and trusted to set the security tone at their organization. Further, they’ll be able to handle ever-shifting responsibilities and navigate their businesses through today’s high stakes cybersecurity landscape. By returning to the grassroots of information security and remembering that there’s room for creative thinking in cybersecurity, they can spend less time saying “no” and more time exploring new solutions, optimizing programs, and building strong connections with their teams.