The Information Security Leader, Part 2: Two Distinct Roles of a CISO
This is Part 2 in our four-part series on the evolution of information security leaders. Be sure to read Part 1 for the full story.
In the original “Star Trek” television series, second officer and chief engineer Montgomery “Scotty” Scott was invaluable to the mission of the Starship Enterprise — not only down in the engine room getting his hands dirty, but also up on the bridge as a senior officer supporting Captain Kirk.
Because of his technical knowledge, the Scotty character was clearly a subject-matter expert. But as a senior officer, Scotty was also essential to the USS Enterprise as a trusted adviser to its leadership team.
In this sense, Scotty from “Star Trek” exemplifies the dual roles of a CISO. That’s the first of three important changes that information security leaders and their teams need to address if they want to make a bigger and more valued contribution to their own enterprise.
How CISOs Should Strive to Be Perceived by Key Stakeholders
Successful next-generation CISOs should strive for their information security teams to be perceived by key stakeholders as being strong in two distinct roles:
- Subject-matter experts in the technical aspects of ever-changing threats, vulnerabilities, exploits and information technologies in the specific operational context of their own organization; and
- Trusted advisers to the people who are responsible for making the business decisions about security-related risks, with the business acumen needed to bridge the gap between technical detail and organizational impact.
To be clear, not every member of the information security staff necessarily has to embody both of these skill sets. Without question, every enterprise needs qualified hands on keyboards, capable eyes on screens and the technical expertise to take effective action. Even on the Starship Enterprise, with its total crew of 430, there were undoubtedly engineers who didn’t get called up to the bridge. But within the information security team — and ideally within the CISO — both technical expertise and business acumen must be present to bridge the gap between these two cultures.
Evidence of a Role in Transition
The signs of change in the CISO’s role have been in view for a while now, but only recently has cybersecurity’s transition from a low-level, tactical activity to a fully fledged, C-level business issue truly begun to accelerate. This translates to significant new opportunities for information security leaders with the right stuff. But what is the right stuff, exactly?
Here’s some empirical data, the result of a simple job search on LinkedIn using the keyword “CISO” and with geography set to the U.S. Of the more than 7,500 results, a quick-and-dirty analysis of 10 randomly selected CISO job descriptions (see the following table) provides several interesting insights into the most desirable attributes being sought right now.
Subject-Matter Expertise Lays the Foundation
In terms of years of functional experience; technical degrees and certifications; and working knowledge of regulatory compliance requirements, security frameworks, core technologies and specific solutions, the job descriptions for a CISO sound very much like Scotty the chief engineer down in the engine room.
The Trusted Adviser Role Is Growing
The burgeoning trusted adviser role can be seen most clearly from a number of contrasts. For example, in addition to functional experience in IT or information security, industry experience provides all-important context. Advanced degrees, often in business or management, can help CISOs evaluate trade-offs and make risk-based decisions.
To complement technical expertise, the CISO is being expected to provide leadership within the security function, cross-functionally throughout the organization and even external to the organization. In these areas, the job descriptions for CISO sound like Scotty the second officer, up on the bridge.
Communication Skills Are Essential
Many security professionals are surprised at the importance of communication skills in their roles. But all the CISO job descriptions in this simple analysis emphasized the need to translate complex technical information into a language that business decision-makers can understand, evaluate and take action on.
In my own role as adjunct faculty in master’s degree programs at two well-known universities in Boston, I can tell you that virtually all my students struggle with this — but they all get better with repetition and practice! Both roles of a CISO have a critical dependence on strong communication, whether written or verbal.
These insights set the stage perfectly for the next two entries in this series about three important changes that CISOs and their teams need to make: The four fundamental questions that they need to learn how to address and the three persistent challenges they must learn to overcome.