How the Role of the CISO is Shifting: Leadership Skills and Strategic Impact

When I speak with security leaders that are considering making a move, I hear a common set of frustrations:

• Fatigue around battles for budget- both people and technology
• Not getting sufficient support from the business for changes that are necessary to harden security (e.g. patching, retiring legacy systems, etc)
• Executives that don’t understand security or the importance of the function
• Being put under IT, which prioritizes efficacy, uptime, and releases over security, and trades security budget for tools and consultants

Nobody wants to feel like they are given a job but not the tools to be able to succeed.

However, when I speak with executives, I often hear these concerns about security:

• Tool and budget increase requests that lack a clear business case
• Explanations and articulations that don’t indicate an understanding of the business or business priorities
• Being the department of ‘no’- shutting things down without offering alternative suggestions

There is merit to both sides.

I will not suggest that security leaders can single handedly get senior leadership to ‘find religion’ on the importance of security, or change company culture.

But, in many cases, they can do better. And they can effect positive change. Their job is not to run a security department; it is to optimize a company’s security posture in light of business decisions around risk tolerance.

The concept of ‘shift left’ has been oft-discussed the past few years as the problem of security being at the end of the line (vs. upstream integration) became incredibly clear. And so the ethos has been to embed proper security practices (and tools) upstream in the actual development process. Hence the rise of DevSecOps.

Similarly, there has been a burgeoning realization that security posture will always be handicapped unless modern security practices can be embedded upstream into the business on multiple additional fronts, for example:

• Training and awareness to address human vulnerabilities
• Design and configuration of environments; secure cloud migration practices
• Decisions to retire vulnerable legacy assets and technical debt
• Prioritization and automation of patching
• Budgeting processes that appropriately weigh risk

It is not a revelation to say that security leadership must play a role in evangelizing the value and role of security, and build relationships with stakeholders across the business in order to earn credibility and trust.

What does get lost is the nuance of what it takes to do so, and the skills to look for in a CISO, based on the company’s size, maturity, risk posture, risk appetite, and willingness to change.

If the leadership appetite is there and the degree of security improvement required is large, the job of the CISO is at least as much a change leadership role as it is a technical security role. And all CISOs benefit from the ability to understand and connect with the business, lead change, and influence people.

I spoke with Lisa Gallagher, former MD at PwC about this topic. She coaches and supports CISOs in their own development journey, and noted that there are simply not enough talented security leaders out there to meet the demand, particularly ones that have balanced leadership skills and technical skills. So she works with companies and the security leaders to build their business and leadership skills. She also noted how critical it is that security be able to get out of their own swimlane and understand the broader picture around data is used by the business and the data governance needs across the organization.

Here's our rundown on leadership skills required by CISOs in this environment. The relative importance of these skills will depend on a company’s context and security posture objectives. Nobody is perfect. Business leaders should think about the right mix for their own context; security leaders should objectively think about their strengths and weaknesses relative to what’s needed to be successful.

• Ability to measure and articulate risk
• Ability to deeply understand business economics
• Storytelling
• Relationship building
• Strategic planning
• Development of vision and strategy
• Change leadership
• Systems thinking
• Large scale program management/ leadership
• Clarity of communication
• Confidence and presence
• Ability to balance and weigh priorities
• Ability to form a cohesive and trusting culture
• Ability to screen and identify top talent
• Persuasion/ selling abilities
• Clarity of written business communication

There are some universal truths in play here. Great CISOs have the technical chops to build and improve a security program, but also have a keen sense of what they don’t know (gaps to fill in around them), humility (which supports a realistic view of the environment and is foundational to trust), an ability to rapidly cycle learnings, a desire to get out of the security pillar and build relationships across the business, and the ability to rally others in their cause.

How do you see the business side of security evolving over the next 3 years? I’d love to hear from you.