Critical skills are necessary to make a successful Chief Information Security Officer (CISO). It is critically important that the CISO is tightly integrated with the organization’s mission. Focusing on skills in this way helps the CISO to be part of the organization’s strategic planning process, which leads to a much more resilient organization. We will be exploring 10 critical success factors that an organization’s CISO must exhibit in order to be successful in the role.
Knowledge and Understanding of the Organization and its Mission
It is incumbent upon the CISO to work with mission leaders ensuring that new security projects are delivering mission value that will ultimately contribute to improved organizational resiliency and productivity. Once this relationship has been established and appropriately communicated to the organization, the CISO should seek out mission leaders to champion and drive new security projects and support the ongoing security activities of the CISO’s organization. In doing so, the security project becomes a mission activity rather than a security activity where the organization’s senior leadership is supporting new and important security changes that will support the organization’s continued success.
Planning and Strategic Management Skills
The CISO should first work with the organization’s executive leadership team to ensure that information security planning activities support the organization’s strategic plan and desired risk posture. Then, the CISO should understand all technology projects that are underway and planned throughout the organization. This way, the information security program can work to fully integrate into each project’s system development life cycle. Finally, the CISO needs to plan for changes in technology and adjust the information security program accordingly in response to industry innovation.
Being able to interact effectively within the organization is critical to the success of the enterprise information security program, therefore making political skills an important CISO skill.
The CISO should understand the needs and concerns of the executive team as they relate to the mission of the organization and then present the information security program as a response to these needs.
The CISO should endeavor to effectively communicate how information security changes are designed to protect the organization.
Risk Assessment and Management
Risk assessment and management establish key processes used for communication between the organization’s executive leadership and the CISO.
Risk ownership is always a C-Suite/Board Level/Executive Leadership issue, so establishing a business-level line of communication between executive leadership and the information security program is vital to establishing a risk management program. The risk management program and its outputs must always be aligned with the business to be effective.
Detecting intrusions on the network and immediately working to clean and recover from those intrusions is critically important.
The several stages of an effective incident management plan include:
- Preparation: Establishing and executing a well-thought-out and effective incident response program.
- Identification: The activity of intrusion discovery.
- Detection: Detecting the presence of a malicious actor.
- Analysis: Validating the presence of a malicious actor.
- Remediation: The activity related to intrusion eradication.
- Containment: Ensuring any new information systems cannot be infected.
- Recovery: Eradicating the infection from the information system.
- Mitigation: Ensuring that the information system is configured so that it can no longer be exploited.
- Post-Incident Activity: Lessons learned and continuous improvement.
These stages when implemented correctly establish an incident management life cycle that ensures effective planning, management, and continuous improvement as outlined below.
Knowledge of Regulation and Compliance with Standards
The CISO must be an authority in the regulation, standards and compliance requirements applicable to the organization. This knowledge is important so that the CISO can tailor their expertise to meet the specific needs of their organization, leading to the development of compliant information security policies, processes, procedures, standards and guidance.
Policy Development and Administration
When developing your policies, consider that policy that is developed and set on a shelf is useful to no one. Therefore, the CISO is responsible for ensuring that policy:
- Meets mission strategic and tactical goals.
- Is promulgated throughout the organization
- Is implementable by the organization and works to positively secure the environment.
- Meets legal and regulatory requirements.
Communication and Presentation Skills
When working with executive leadership, it is critically important to frame the conversation in terms that the executive cares about. In this case, frame the information security concepts in business terms so that they resonate well with the executive. When speaking with a peer team member, speak technically and focus on the specific technical controls that need to be in place to protect the organization. When working with an employee, turn information security into something that is relevant to their role.
Collaboration and Conflict Management Skills
The CISO is now called upon to collaborate with members of the organization’s mission team, technologists and end users.
When collaborating with the mission team, the CISO now works to solve issues that affect the successful operation of the organization. When working with technologists, the CISO must ensure that security requirements are well explained, and that effective guidance is provided. When working with end users it is important to develop training that drives the adoption of information security practices by the end-user community.
A team of effective information security professionals is needed for any robust information security program. It is not just one person – the CISO – but an able group or team that works well together.
Mentoring, and mentoring well, is critical in the cybersecurity field. Work with the team to develop their skills leads to a much more engaged team, resulting in a more effective and knowledgeable information security program.
While the cybersecurity and technology fields are highly dynamic, the critical success factors discussed above seem to be timeless set of skills. These skills are necessary to effectively lead the integration of technology with the business and mission of the organization, and align the security program with the needs, targets and priorities of the people within.