What makes a successful Chief Information Security Officer (CISO)? It’s a job title that has only existed for a relatively short time. At SecTor 2015, keynote speaker Trey Ford mentioned that many CISOs were in the job for the first time and feeling their way around the role. A year later at SecTor 2016, we asked a handful of experts what a good CISO looked like. The responses in our video below were intriguing.
CISOs are translators
Mikko Hypponen, chief research officer at F-Secure, told us that CISOs are translators, first and foremost. They must convert specialist IT information into a digestible format for business people, and vice versa.
These groups often speak what amounts to a different language. Business people will have a difficult time understanding not only the technology that helps to secure their data, but the processes that it supports. Conversely, technology-focused information security specialists may not see the bigger challenges facing business executives.
This is especially important given the wide range of people touched by information security, points out Chris Wysopal, CTO at Veracode. Business users occupy roles ranging from accounting through to marketing and creative, each with different needs.
The CISO articulates each group’s challenges and methods effectively for the security team and explains to each of them in their own terms what the security function is attempting to do and what it needs to do it effectively. If the CISO does their job properly, they can create a platform for consensus.
CISOs are experts
Communication and consensus building are ‘soft’ skills, but that doesn’t mean that a CISO shouldn’t bring some hard knowledge to the table. Even if they come from other functions in the business such as finance, they must bring or develop a solid understanding of information security practice and principle, warns Laura Payne, senior information security advisor at the Bank of Montréal. Without that background, they won’t have the respect of their technology stuff, or the ability to package complex information properly for business managers.
CISOs are salespeople
Security is about far more than just talk, however. It takes an investment in time, equipment, and human resources. The CISO needs a supportive board to get those resources and to help foster support among mid-level managers. Selling cybersecurity is an important part of the job, says Chris Pogue, CISO at Nuix.
Getting this support from a busy and distracted board can be difficult. An effective CISO will sell the concept of cybersecurity as a governance issue to senior management, and win their support for the long-term, creating a consistent platform for information security in the organization, rather than sporadic investment based on knee-jerk reactions to headline events.
CISOs are advisers
CISOs don’t necessarily make all the decisions themselves, points out Ben Sapiro, senior director of security, privacy and compliance at Vision Critical. Instead, using their communication skills, they present the facts to the board. They distil an organization’s ability to absorb risk and lay out options for reducing it at a rate that the business is comfortable with. A good CISO will be able to present these options to the board, giving them the data they need to make proper decisions about information security.
CISOs are visionaries
CISOs are technical experts, but they are also visionaries, argues Solomon Sonya, assistant professor of computer science at the US Air Force Academy. They need some big-picture thinking to create a strategy of security across the entire organization, encompassing not only what exists today, but accommodating future technology developments.
That’s quite a shopping list. It’s not surprising, then, that chief security officer salaries are on the rise. Recruitment firm Robert Half publishes an annual survey of salaries for tech professionals. Its 2017 report shows Chief Security Officer salaries rising by 3.1% in Canada, outpacing all other senior executive jobs. North of the border, people in this role can earn up to $241,000, the company says. In the US, the same role will see a 5.3% salary jump this year, with potential top-and earnings of US $236,000.
A CISO role is a rewarding one – but you’d better have the unique mixture of communications skills, technical expertise and strategic vision that you need to succeed in this challenging role.