The evolution of the CISO (chief information security officer) position over the past few years is nothing short of remarkable. Not too long ago, ensuring that a business's technology was secure fell to the CTO or CIO. But as the value of security has increased, the majority of enterprises now have someone dedicated to that role, someone who faces the board on a regular basis.
A new survey from NYSE Governance Services, entitled "Cybersecurity in the Boardroom," conducted in partnership with Veracode, asked 200 directors of public companies how they view security in the boardroom. While the entire report is worth reading, one section focuses on five key qualities of a CISO that the board will expect. Understanding how directors view this role will help both existing and prospective CISOs prepare themselves, and their presentations, when they have to report to the board.
1. Technical Skills and Experience
Many upper management positions rely mostly on leadership skills, and while those are obviously important for a CISO, the top skill that boards expect CISOs to possess focuses on the technical aspect of the position. This shouldn't be taken to mean that CISOs are expected to be the most technologically savvy people in the organization, but they need to have more than just a high-level knowledge of the systems they are protecting, and the tools they are using to protect them. As the person who will set the agenda for securing the infrastructure and applications, having in-depth knowledge of and experience with the systems and tools reduces communication breakdowns that can hamper the process and ensures the chosen security solution is in line with industry standards.
2. Business Acumen
The CISO has to bridge the gap between business and technology within the organization. As detailed in the first key quality, not only do CISOs have to master the technology, but they also have to keep the business needs in mind. Locking the systems and networks down tightly will certainly make them more secure, but if the needs of the business aren't taken into account and productivity or trust suffers as a result, then the security solution could actually do more damage than a successful attack. As the survey shows, the board understands the need for balance, and it will look for CISOs who can master both sides of this equation.
3. Strong Communicator
With responsibility for major breaches now reaching up into the highest levels of business leadership, the board wants more than assurances that security is being handled. The board and other C-level executives won't have the CISO's grasp on the convergence of technology and security, so it will fall to the CISO to effectively communicate the position and needs of the business. As the report discusses, the board would rather see the CISO use risk benchmarks compared to others in the industry, or the discussion of breaches within the industry, than have the CISO attempt to discuss specific technologies and their functions. Only by being a powerful communicator can CISOs accomplish this task.
Looking for risk in a security position may seem counterintuitive, but when broken down, it is truly a powerful trait. Within the world of security, taking the safe, trusted, and proven route can often leave organizations vulnerable to emerging threats that find and exploit weaknesses in existing security systems. Having a CISO with the ability to take risks will not only enable the business to adopt new security solutions at a much faster rate, but will create a forward-thinking culture that can identify and address emerging security issues before they become a problem for the business.
5. Crisis Communication Expert
Of all the communication CISOs will do throughout their careers, nothing will be more important than the communication that takes place in the midst of a security crisis. Between the board, the C-suite, the security team, the IT department and maybe even HR, dozens of people have to be kept in the loop during a crisis, and all of them have unique informational needs. A CISO not only has to be able to stay on top of the crisis itself, but has to keep everyone else informed with exactly the information they need. Only by working as a team can a business survive a serious incident, and it's the CISO who acts as the captain of the team during that period.
Getting a grasp of these key qualities of a CISO will help anyone in the position deal with the board and the rest of the C-suite. For more on understanding these qualities and how CISOs can tailor their message and their work to be exactly what their business needs them to be, check out the full report here.