The role of the Chief Information Security Officer (CISO) is changing rapidly. Joe Krull, a Senior Analyst at Aite Group, shares 3 fundamentals crucial for a CISO to be successful today including how to build a better cybersecurity team utilizing non-traditional talent sources. This commentary is based on a recent podcast which you can listen to here.
The role of the Chief information Security Officer (CISO) has certainly changed since the days that I wore that hat and it is a role that is continuing to evolve. Despite the world becoming more complex which requires CISOs to do so much more, these professionals are not necessarily given the resources needed. For instance, budget may be increased but this is not really enough to keep up with the constantly evolving cybersecurity landscape. After working with so many CISOs over the years, I believe there are three fundamental things that a CISO needs to be successful.
Knowledge of the business
Firstly, knowledge of the business that is being defended is fundamental. It is amazing how many times I’ve asked a CISO, “Well, how does that manufacturing line work?” or “How many widgets does your company produce in a quarter?” and they cannot tell me the answer. These are the types of business related knowledge a CISO needs to have in order to better anticipate business issues, expansions and geographic issues. In my view, many CISOs are deficient in this business know how.
Understand technology available
Secondly, a CISO needs to understand what types of cybersecurity technological tools are available. That is not to say that a CISO needs to be a technologist. Instead the CISO could select a team member to follow technology trends and monitor new tools becoming available. The CISO should have a high level understanding of the technology vendor market, how this is evolving and changing which is doing so at a rapid pace. There may be a technological tool or process that is being developed that could alleviate some of the existing pain points.
Strong leadership and good communication
Thirdly, a CISO needs to be a strong leader in order to keep the team motivated, because sometimes the challenges just seem so insurmountable. Also, having good communication and even negotiation skills is an advantage for a CISO when dealing with peers, internal leaders and even the board of directors. This is such an important skill to the evolving role of CISO that Aite Group publish a reportlast year that touched on CISO relationships and specifically improving board engagement.
How to build a cybersecurity team
Depending on the source, the industry estimates that range from about one to four million cyber roles are available globally with about 500,000 of those in the United States. This means that CISOs will have to be clever and strategic when hiring for their cybersecurity team. CISOs may source new talent from non-traditional sources. In our trends report, we suggest CISOs and firms participate sponsoring cyber defence competitions, expand internship programs, and allow IT staff from other parts of the organization to shadow the security team in order to support talent sourcing for their team. Once this person has shadowed for a time, a CISO can better determine if he/she would be a good fit for the cybersecurity team.
For example, last role that I had as a CISO, I sourced a lot of people from the IT team, and one of my best security analysts was a systems administrator that just became very interested in cyber and has now made a career out of that.
Another strategy we have seen some success in is convincing companies Human Resources departments to waive the four year degree requirement for cyber jobs. There are some great practitioners that do not have a formal education. For instance, some cyber professionals who are have been successful are previous IT freelancers or professionals with military, computer gaming backgrounds. If someone is really interested in cybersecurity and they’ve got a proclivity for working with computers, that knowledge can be applied accordingly.
Tasks CISOs should do immediately
If I were to give a CISO some advice for measures to take now to bolster, I would suggest an update of playbooks and to run realistic breach exercises because it is inevitable that companies are going to have security problems, and it’s better to be prepared and understand where the pain points are before you actually have a real breach or a real problem.
Additionally, a CISO should be looking at its real-time backup solutions to ensure all critical data can be backed up. Finally, CISOs should be looking at their cyber insurance policies and make sure that the coverage really matches today’s threats because we are seeing a lot of misunderstanding around cyber insurance, what’s covered, what’s not, what the exclusion is. And this is an area where organizations and CISOs can really get down deep into it and start to figure out if this is still a viable way to transfer risk.