We have a bunch of exciting podcasts coming down the road here towards the end of the month. They will deal with topics like Penetration Testing, Security Orchestration, SIEMs, etc. Then for the month of April we already are having our schedule fill up, with three podcasts already scheduled. I have interviewed some of the top-level C-Level Execs from some of most elaborate startups you could ever imagine, ranging all the way from Silicon Valley to the East Coast.
So, speaking of C-Level . . . yes, the C-Suite is still under the microscope this year, and will continue to be so for a long time to come. This is a repeated topic of which we hear all the time (and yes, there are times that I even get tired of hearing about it). But all of the news and content that surrounds the C-Suite has always been one of a negative nature.
Like, what kind of sanctions do we impose on them, how do we punish them, should they be fired, etc. But to be honest, once in a while I do come across a news headline in which the C-Suite (especially the CIO/CISO) is trying, or at least making efforts to show that their care about their organization, and that they want to help protect it.
But, one of the key questions still remains . . . what are some of the qualities that define an effective CIO/CISO? Here are five traits that they must possess:
- They have to be nimble, flexible and AGILE:
The CIO/CISO must have the ability to listen to a wide range of audiences from within their organization, such as the different departments. They have to be able to listen to all kinds of needs, requirements, and issues. But most of all, they have to able to inspire trust and confidence from their employees and teams if and when a Cyberattack does indeed happen.
- They must be able to speak both geek and non-geek languages:
In this instance, the CIO/CISO must have enough technical background and experience so that they can quickly understand what their IT Security Managers are telling them. Then in turn, they have to have the ability to bring all that geek speak to a non-IT crowd, especially to the other members of the C-Suite in order to get their buy in for new projects and new initiatives.
- They must be able to use both sides (including the front and back) of their brains:
Remember, the CIO/CISO has to be not only a techno geek, they also must be creative as well. To be honest, this is a very difficult skillset to possess, and I have known of very few people that can do both. In this regard, the CIO/CISO must not only be able to keep the technical portions of their Security Policies on a regular basis, but also the non tech ones as well (especially those that address Security Awareness Training programs for employees). While the CIO/CISO can be considered to the be ultimate commander in chief of their IT department, and has total veto power, they must also be able to embrace the constant dynamics of the Cyberthreat Landscape and keep fine tuning their Security Policies in order to keep up. In other words, they should be able to “. . . successfully merge their cybersecurity vision with their organization’s reality.” (SOURCE: https://www.securitymagazine.com/articles/89949-key-skills-every-incoming-ciso-should-have).
- They must be seasoned enough in the real world:
Obviously, you wouldn’t hire a person right of out college to be a CIO or CISO. By the same token, you want to have an individual that has a lot of experience. Remember, the Cyberthreat Landscape is more than just fighting out threat vectors. It also means dealing with the headaches and administrative nightmares of coming into compliance with all of the legislations and mandates, such as those of HIPAA, Sarbanes-Oxley, GDPR, etc. in order to avoid the harsh penalties of noncompliance. Also, you want the CIO/CISO to have the ability to lead and engage in what is called “Tabletop Exercises”. This simply means conducting real world Cyberattacks (such as those of Pen Testing) against the lines of defense of the organization in order to see where the unknown weaknesses and vulnerabilities lay at.
- They must be able to communicate levels of Cyber Risk to the C-Suite:
The term “risk” has been used substantially in other departments, especially that of Finance, especially when it comes to the Capital Budgeting Process. But this is something new to the world of Cybersecurity. With all of the incoming threats, there are now sophisticated ways to calculate and model the levels of Cyber Risk that a business or corporation faces. In fact, some companies have even started to use Artificial Intelligence (AI) and Machine Learning (ML) in order to gauge all of this in real time. But once again, the CIO/CISO must be able to gather and sift through this plethora of information and data and separate out the wheat from the chaff, and report that to the Board of Directors, in order to get their approval for funding for deploying newer Security technologies and initiatives.
My take on this?
Well, here you have it, some of the important traits that constitute a successful CIO or CISO. Remember, it takes both a blend of qualitative and quantitative skills to make it in this role. But most importantly, it also takes effective communications skills as well in order to communicate the techno geek language to the non tech crowd, such as the CEO, COO, CMO, CFO, etc.
In today’s times, you will see many IT staffing and recruiting firms offer what is known as a “Virtual CIO/CISO”, or even an outsourced one. While it may sound tempting to use these services in order to cut costs, my advice is to stay away from them. While these services might prove to be effective for the extreme short term, these are not long-term answers by any means.
I am by no means a hiring expert, but in my view, I think it would be best to hire someone internally from within your organization. This would be somebody who has worked in the IT department for number of years, climbed up the ranks, and has obtained the title of at least “IT Manager”.
After all, these types of individuals know your organization the best, as well as the people that work there. But above all, they know and fully understand the Security requirements that are unique to your business or corporation, and thus will have the mindset to make key decisions that will be of value and benefit.