Various skills

CISOs (Chief Information Security Officers) need a range of skills to be able to cover their area of responsibility effectively and efficiently.

Understanding of the company or the organization

Successful CISOs today must differentiate themselves from previous generations of CISOs by developing a good understanding of the organization, including goals, challenges, industry specifics and even competitors beyond the defined area of information security. Members of senior management or board members are expected to understand, question and contribute to every area of the organization (even if it is not directly part of their immediate area of responsibility). The situation should be analogous in the public sector, for example with departmental management.

A modern CISO must therefore actively put itself in a position to obtain this overall view - even if this is primarily done in the context of information security (“wear information security glasses”). CISOs who do not succeed in this will continue to be seen as highly technical specialists who report to a manager and whose statements can, at worst, be interpreted by decision-makers in a company as incomprehensible, technical statements.

Without an understanding of the comprehensive business activities of an organization, CISOs are unlikely to be recognized by top management and will likely not receive the necessary backing to perform their tasks. In order to develop these skills, a CISO must inevitably look beyond its own “cybersecurity horizon”.

Continuous learning

Because information security risks and attack vectors are constantly changing, CISOs must demonstrate a continuous willingness to learn in order to adapt to new developments. Every good CISO spends a great deal of time understanding how currently known vulnerabilities intersect with the evolving threat landscape and how to continually improve the organization’s security posture.

Information security is a constant game of cat and mouse that requires both strategic thinking and staying on top of the latest technology for sustained success.

Nowadays, it also involves keeping up to date with the numerous current and future regulations, directives, laws and rules on cyber security. A pure focus on technical innovations is a thing of the past. It is also necessary to keep pace with the ongoing technological change with regard to regulatory aspects.

Effective communication

The ability to communicate a “technical” topic effectively and accessibly to the various stakeholders is a key to success in information security. Conversely, it is equally important to be able to communicate “business” topics in a way that is understandable to technical professionals. Without developing the ability to communicate with different stakeholders in their “understandable language”, modern CISOs will rarely be successful.

CISOs develop, establish and manage complex information security programs that often impact all aspects of an organization. The communication required at this point encompasses all facets: from motivating and leading a dedicated team, to promoting a security-conscious culture throughout the organization, to effectively managing security incidents and crisis across many different organizational units.

Communication is required in all directions. Communication must take place with decision-makers regarding the release of required resources and the most informative language possible must be used with employees, for example to raise awareness of impending information security risks or to make abstract compliance requirements easier to understand. A good half of a CISO’s work consists of communicating ideas, opportunities, concerns and plans to a large number of internal and external stakeholders.

If communication is not good, the concerns of information security are not understood and, in the worst case, the CISO is perceived solely as an annoying “naysayer”.

Nerves of steel

Crisis management is commonplace in the position of an CISO. Dealing with incidents and managing security incidents is often already part of day-to-day business.

Employees of a company may also seek guidance from the CISO in the event of a crisis. For this reason, a CISO must be confident in their leadership approach and also exude confidence when developing a crisis response strategy and implementing it with employees in an organization.

Therefore, the ability to keep a cool head cannot be overemphasized. In particular, the current threat situation, in which entire organizations are sometimes permanently paralyzed by attacks (for example through encryption), places extensive demands on the personality and resilience of modern CISOs.

Prioritization of activities

CISOs or information security teams represent a cost centre in the organization. More often than one would like, in the CISO-role one will be forced to work with suboptimal budgets.

Prioritization of work ensures, up to a certain point, that a CISO is able to align a low-threshold investment program with business objectives, allocate resources effectively, prioritize the most important risks and meet the expectations of internal and external stakeholders to the extent possible.

If prioritization is poorly or even incorrectly done, this can in turn lead to reduced resource flows into information security projects, the overall information security management system, future reduced budgets, unnecessary negative impact on the organization and non-compliance with regulations. Ultimately, incorrect prioritization will result in wasted time.

You can estimate the cost of avoiding risks in advance, but you never know the actual cost of those risks. Especially things that don’t happen are difficult to convert into tangible savings. This, too, can ultimately affect the budget of an CISO.

Technical understanding

In most cases, an CISO does not need to be the most technically savvy member of an organization or the information security team. However, the role does require the ability to understand and evaluate current information security threats, defense mechanisms, defense techniques and emerging technologies. Otherwise, it will be difficult to make informed decisions, lead a team effectively and maintain your credibility as a CISO.

The technical protection of valuable company assets is of very high importance in the cyber security environment. It is crucial to have the right skills and knowledge for the role of CISO in this area as well. Otherwise, the CISO may find themselves at a loss in meetings and exposing the organization to avoidable risks.

Concluding thought

The portfolio of skills and abilities of a CISO is diverse and must take into account the goal of continuous adaptation to changing circumstances. The points listed here are by no means meant to show the complete picture. They are merely intended to provide food for thought about the various challenges that a modern CISO must face.