The Dramatically Changing Role of the CISO

When I first started covering data security in the 1990s, the relatively new CISO role was almost an entirely technical role. Even if CISOs didn’t do the work directly, they needed deep technical capabilities in networking and operating systems. And the role was essentially filled by hiring from technical corporate technical positions, law enforcement or from technical roles within the military.

Rarely did these CISOs, except for the largest of organizations in critical industries, meet with the CEO, let alone their board of directors. Most commonly, at the time, the vast majority of CISOs or their equivalent reported to the CIO. There’s been quite a bit of change in the role of the CISO since then.

Today, the function of the CISO involves much more risk management and business leadership. It’s as much about helping executives and the c-suite understand risk as it is about bits. This has a profound impact on recruiting cybersecurity talent. Consider a new report from Kudelski Security, “Cyber Business Executive Research: Security Leadership Talent Gap,” which found new responsibilities for the modern CISO now include business leadership (23%), being an evangelist for the program (17%) and being the organization’s risk leader (17%).

The report, based on responses from members of Kudelski Security’s Client Advisory Council as well as interviews and surveys conducted last year among 110 CISOs in the U.S. and Europe, found that 82% of respondents agreed that soft skills such as communications skills are critical, compared to 52% who said that hands-on technological experience is critical.

As CISOs witness the scope of their work expand, they increasingly need to hire staff that can help them effectively manage domains such as fraud, privacy, risk and physical security. The survey found the top skills needed for CIOs today include business acumen (18%), soft skills (15%), exposure to senior executives (14%), experience in all areas of security (9%) and leadership experience (8%).

The report found that CISOs increasingly need to involve themselves with business concepts and processes outside of security, as well as effectively communicate risks to the board and senior management. “CISOs must develop these skills to help sell security, build and maintain critical relationships, and communicate at both senior and operational levels. Soft skills are critical to evangelizing the program and celebrating wins, which need to be expressed as business outcomes,” the report stated.

The report also found skills essential for security leadership, including communication skills (82%), business acumen (62%), cyber risk management (56%), relationship management (55%), clarity of thought under pressure (55%), hands-on security technologies (52%), people management (50%) and executive presence (48%).

Business acumen, business leadership and cyber risk management topped the list. “All cybersecurity is about business outcomes, so experience and understanding of business concepts and processes are key. The ability to effectively communicate risk at board and senior management levels is crucial,” the report said.

“CISOs must develop these skills to help sell security, build and maintain critical relationships, and communicate at both senior and operational levels. Soft skills are critical to evangelizing the program and celebrating wins, which need to be expressed as business outcomes,” the report continued.

Increasingly, CISOs are outsourcing to fill skills gaps and optimize their job workloads. “As security teams grow and evolve, it can be helpful to augment internal resources with third-party support. In particular, managed security services like incident response, threat monitoring and hunting, and device management are proving popular as a way to take the burden off in-house security teams or address skill gaps,” the report said.

Finally, the report found the top three positions most suited to move into the CISO role are governance, risk and compliance (29%), security operations (16%) and security architecture and engineering (8%).

Reflecting upon my start covering information security, there’s clearly been significant change over the past 25 years. Governance, risk and compliance wasn’t even a role category yet, and few knew what security operations or an enterprise security architecture should even look like, or how it should function. Chances are, with the rate of technological and industry change, the next 25 years of evolution will be just as profound as the last.