During a recent panel discussion at the U.S. Bank Strength in Security conference, a few local chief information security officers (CISO) were posed a simple question:
“What does it take to be a CISO in these times?”
We invited two public-sector CISOs and a private-sector chief security officer (CSO) to explain the evolution of this role. If you’re thinking about the CISO role as a potential career step, here are some of the takeaways that might help your decision.
All the panelists noted that the CISO role can differ dramatically from other cybersecurity and information security roles, specifically regarding management skills. For a public sector CISO, who previously served as a deputy CISO, an entirely different set of skills were required.
“Once you’re in that role, you need to maintain the trust of those that don’t understand your work,” the CISO noted. “I couldn’t rely on the technical knowledge as much anymore. I needed to know more about financial, legal and business operations.”
The private sector, healthcare-based CSO panelist concurred, noting that the best CISOs merge the technical and business aspects of their organizations.
“You need to have some technical acumen to be able to challenge findings and direct teams,” said the CSO. “You also need to have soft skills, relational skills and financial management skills. The job of a CISO is to change the way the business thinks about business.”
The cybersecurity atmosphere changes constantly and new threats appear every day. Modern CISOs must keep aware of these threats, which requires reading intelligence reports and security news briefs regularly.
The other CISO panelist noted that those reading skills should extend beyond cybersecurity-related issues.
“I had to brush up on the organization’s public relations and damage control books, to learn how to deal with the media during any security disasters,” the CISO said. “I also spent time reading internal manuals and documents on staff management, peer development and overall business operations. About 10-15 percent of my work day involves reading these reports.”
When you’re in charge of a cybersecurity operation, you’ll need to ensure that your staff stays current with evolving threats. Talent development accounted for at least 25 percent of the responsibilities for the panelists, and all three noted that hiring techniques matter as much as the actual talent that’s acquired.
“Good cybersecurity talent is hard to find, but it’s not the most important part of the process,” the CSO said. “If you don’t have good techniques in identifying, interviewing and onboarding new talent, you’ll just be back in the same place within a few months..”
The CSO noted that asking prospective employees about their professional development goals and interests during the hiring process helps allocate new resources that match the organization’s goals.
The panelists agreed that the modern CISO role can be physically and emotionally taxing. New threats evolve every day, and it’s easy to get buried in an onslaught of new information. For the sake of emotional and physical well-being, they all argued that CISOs should allocate some time away from the cybersecurity world.
“You need to have some form of relief that is not cybersecurity related,” the CSO said. “Try honing those soft skills, to better prepare yourself for meetings with business stakeholders.”
If you’re interested in the CISO role as a future career path, these lessons can help set expectations for your transition. For more insight on our approach to cybersecurity, check out this Newsroom article.