The CISO role has evolved from managing technical controls to supporting business strategy. Becoming a great CISO requires more than technical expertise. CISOs must balance multiple business risks, protect systems from threats, and ensure enterprise resilience.
Mandy Andres, CISO at Elastic, said, “From a previously technology- or compliance-focused role, the CISO is a business leader who must understand business strategy and operations and make trade-off decisions between dealing with risk and investing in the most promising areas. “The role has changed,” he said.
This shift in thinking redefines security events as inevitable and prepares for a breach by focusing on when it will happen, not if it will happen. “Twenty years ago, when there was a data breach, responsibility automatically fell on the CISO, so you had to look for a new job,” Andres said. “Because the goal was a zero event,” he said. Many companies are now accepting that their security setup is imperfect and that they need to focus on resilience and preparedness in the event of an incident.
In the past, security settings were divided into an on/off dichotomy, but today security programs must be designed to help you adapt and respond while minimizing the impact of an incident. Now that cybersecurity and business operations teams are involved in response and resiliency planning, CISOs must be active across the enterprise, especially in the event of an incident.
“It broadens the scope of people involved in the process,” Andrés said. This means that when a security event occurs, it involves not only the technical security team, but also public relations and communications teams, and depending on the scale and severity, management as well.”
CISOs are also leading budget discussions. In the past, you were given a budget and all you had to do was do as much as possible with that budget, but discussions about the budget today are not as simple as they used to be. “What’s become more difficult from a CISO perspective as the role has evolved is that you see a lot of situations where you want to do things differently and you know it’s better, but the focus of the business is on other parts of the business,” Andres said.
Background of the ideal CISO
CISOs can come from any background, including college, work experience, and professional certification. In particular, the lines that separate backgrounds are blurring with changing cybersecurity requirements.
In the past, people with SecOps backgrounds often focused on operational security, while those with GRC backgrounds often prioritized compliance for risk management, says Paul Connelly, a former CISO who now serves as a board advisor, outside director and CISO mentor. “Information security requires basic capabilities in technology, but a CISO does not necessarily need to be an engineer or developer,” he said.
A broad understanding of information security responsibilities is necessary, but CISOs can come from any function, including IT or internal audit. Experience in various industries and companies leads to the advantage of diversity of thinking. The modern CISO must place the highest priority on aligning security efforts with business goals. “People who have gained broad experience across multiple parts of the company are better prepared than those who have come up with a singular focus on SecOps or another area,” Connelly said.
In medium and large companies, management skills, leadership capabilities, and business knowledge are more important than technical skills. On the other hand, in small teams, every team member must wear multiple roles, and the CISO in this environment must be a technical leader. “In this case, a technological foundation like SecOps can help,” Connelly said.
The most important thing is the ability to set and lead a security agenda tailored to the environment. CISOs must understand the business side of information security to gain the trust of boards and executives. Reflecting these changes, a cybersecurity leadership course is also being developed to help develop security leaders who can encompass the entire business.
“The goal is to develop cybersecurity leaders with business acumen, communication skills, and the ability to collaborate with other groups such as legal and audit,” Connelly said. “This is an effective combination for today’s leadership.”
Connelly’s advice, as a longtime mentor, is to advance your career and become qualified for leadership. If you are a CISO at a large company, he recommends looking for opportunities to rotate across multiple departments for leadership development.
If you seek leadership but do not have such opportunities, you should seek out a mentor to develop long-term, goal-oriented relationships that support your growth. “Mentors provide advice, feedback and ideas to help you choose the right path,” Connelly said.
Connelly suggested first identifying areas where a mentor could be helpful, then shortlisting potential mentors and approaching them directly or through mutual connections. To get the most out of this relationship, Connelly says, set goals and lead the conversation at each meeting, but leave room for the mentor to add his or her own thoughts and make adjustments if necessary. “You need to decide in advance what problem you want help with and start a relationship,” he said.
Expanded to influencer role
As the CISO’s field of responsibility has expanded beyond technical aspects, the proportion of capabilities that can influence the overall company has increased. CISOs must build relationships and collaborate with diverse teams to ensure security is integrated into processes and responsibilities across the enterprise.
Influence is key for CISOs to lead security initiatives. As the era of imposing technical solutions comes to an end, it is important to focus instead on listening and considering diverse perspectives. Seeking shared solutions is important, Andres said, adding that this consultative approach is essential for CISOs to perform their roles effectively. “This is where influence comes into play. “You have to understand how to approach different individuals, personalize interactions, and adapt to the situation.”
This requires understanding the language, needs, and limitations of diverse teams to foster more positive interactions and discussions. “For example, if you approach it with the attitude, ‘This is the only way to achieve this goal,’ it creates an adversarial relationship,” Andres said. On the other hand, if you approach it from the attitude of, ‘This is what we need to achieve, let’s discuss how we can work together,’ you will focus on why you are doing this and how it will help you succeed in business and help your customers, and you will have a much more positive interaction. “It can lead to action and discussion,” he said.
Cillian O’Leary, head of technical recruitment at PlaceMe Recruitment, agrees that the ability to set shared goals, engage stakeholders and act as an influencer is important.
A few years ago, CISOs were like islands in their own territory. It may have been a good fit for certain personality types, but it is now clearly becoming a role of influence and collaboration. These qualities are becoming very important factors that companies evaluate when hiring new CISOs. “Enterprises are looking for CISOs who can buy into their security roadmap and build followers to join them on the journey,” O’Leary said.
Based on his experience, O’Leary said that while technical expertise is important for the modern CISO, it is also important to understand that different people, whether CIOs or CEOs, interpret the meaning of security posture differently. This requires identifying evolving threats, presenting insights in a way that executives can relate to, and creating awareness about security across the enterprise. “Being an effective CISO requires a certain level of grit because you have to be willing to have difficult conversations, influence and mentor others, understand people, and yet push your own agenda to improve the business,” O’Leary said.
However, if companies do not fully understand the role of the CISO, the situation can become complicated and lead to a mismatch between the job specification that the CISO must form and the list of required technical competencies.
O’Leary said companies need to understand the functions of the CISO role, who they influence and who they work closely with.
In some cases, recruiters like O’Leary may describe a candidate’s suitability based on whether the candidate has a variety of experiences, a short tenure, or whether his or her experience at one company does not fit the job description. “If you’ve been exposed to a variety of industries, challenges, and business types, you have a well-rounded experience,” O’Leary said.
O’Leary says that in environments with a lot of change, personal qualities such as a growth mindset and adaptability can be advantageous for success as a CISO. “Effective CISOs see themselves as unfinished and still in development. This is because you must develop according to the trajectory of your role. “It also includes establishing a firmer position in the company.”
One characteristic everyone agrees on is passion for the role and mission of protecting businesses. This is a key element of a good CISO. Passion is an important personal motivator, but it also spreads within a team. This helps further our efforts in our mission to protect our business, customers, and employees.
“A good CISO is someone who is passionate about cyber and committed to learning and improving throughout their life,” O’Leary summarizes.
editor@itworld.co.kr
Source: www.itworld.co.kr
