Experts share their thoughts on why the CISO is becoming a business leader beyond technical expertise, but success hinges on their ability to be influencers and lead the security agenda. Credit: PeopleImages.com - Yuri A / Shutterstock The CISO’s role has evolved from managing technical controls to also supporting the business strategy. Becoming a great CISO requires more than technical expertise. To be highly effective, CISOs must balance business risks, protect against threats, and ensure organizational resilience. “It’s shifted from a technical or compliance-focused role into a business leader that needs to understand business strategies and operations to make trade-off decisions between addressing risks and investing in the most impactful areas,” says Mandy Andress, CISO with Elastic. This shift in thinking reframes security events as inevitable, with the focus on being prepared for when, not if, a breach occurs. “Twenty years ago, if there was a data breach, the CISO was automatically blamed and looking for a new job because we needed to have zero events,” Andress tells CSO. Today, there’s more acceptance that security settings aren’t perfect, and organizations must focus on resilience and preparedness for when an incident occurs. Security settings were once viewed as binary — on or off — but today, security programs need to be designed to help organizations adapt and respond with minimal impact when incidents occur. Response and resilience planning now involves cybersecurity and business operations teams, requiring the CISO to engage across the organization, especially during incidents. “It’s brought a much broader population of folks into the process, so if you have a security event, it’s not just the technical security team involved, but it’s also public relations, communications teams, and potentially executives, depending on the scale and severity,” she says. CISOs are also leading the conversation around budgets. In the past, funding budgets came with the memo to do as much as possible, but today, these discussions are more nuanced. “The harder evolution in this role is knowing we’ll see many things we’d love to do differently and that we know we can do better, but they’re not the focus for the business at the time,” Andress says. SecOps vs GRC: Is there an ideal CISO background? CISOs can come from a variety of backgrounds — university, workplace experience, or professional certifications — but the changing demands of cybersecurity are blurring these distinctions. In the past, those with a SecOps background often focused on operational security, while those with a GRC background leaned toward prioritizing compliance to manage risk, according to Paul Connelly, former CISO now board advisor, independent director and CISO mentor. “Infosec requires a base competence in technology, but a CISO doesn’t have to be an engineer or developer,” says Connelly. A broad understanding of infosec responsibilities is needed, but the CISO can come from any part of the team, including IT or even internal audit. Exposure to different industries and companies brings a valuable diversity of thinking. Above all, modern CISOs must prioritize aligning security efforts with business objectives. “Individuals who have zig-zagged through an organization, getting wide exposure, are better prepared than someone who rose through the ranks focused in SecOps or another single area of focus,” says Connelly. In mid-size and large organizations, managerial skills, leadership competencies, and business savvy outweigh technical skills. On the other hand, in smaller teams, everyone’s required to wear multiple hats, and often the CISO in these settings must be a technical leader. “In those cases, having a technical underpinning like SecOps can be helpful,” he says. What matters most is the ability to adapt and lead the security agenda. To gain credibility with the board and C-suite, CISOs must understand the business side of information security. Reflecting this change, courses in cybersecurity leadership are emerging to help develop security leaders capable of engaging across the business. “The goal is to develop cybersecurity leaders who have that business acumen, communication skills, and the ability to work with other groups like legal and audit, which is a great combination for today’s leadership,” he says. As a longtime mentor, Connelly advises CISOs looking to advance their careers and develop leadership credentials. He recommends CISOs in larger organizations look for opportunities to take rotational assignments for leadership development. If these opportunities don’t exist, leadership-minded CISOs need to seek out mentors with the idea of developing long-term, goal-oriented relationships that support their growth. “It’s having someone who takes the time to provide advice and feedback and give you ideas to help pick the right path you want to follow,” Connelly says. At the outset, he suggests identifying areas where a mentor could help and brainstorming potential mentors and then making the approach directly or through a mutual connection. To get the most out of the arrangement, he advises mentees to set goals and lead the conversation at each meeting, while also leaving space for the mentor to add their thoughts and adjust if necessary. “Make sure you go into the relationship with a set of goals you’re hoping this person can help you accomplish, or a set of issues you would like help to develop yourself.” The CISO as an influencer As the CISO’s remit has expanded beyond technical proficiency, their effectiveness increasingly hinges on the ability to cultivate influence across the organization. CISOs must build relationships and collaborate with different teams to ensure security is integrated into processes and responsibilities across the organization. Influence is key for CISOs to drive security initiatives. Gone are the days of imposing technical solutions, replaced by a focus on listening and considering different perspectives. Working toward shared solutions is critical, and this consultative approach is essential for CISOs to be effective in their role, according to Andress. “That’s where the influencing comes in, understanding how to approach different individuals and having individualized interactions and being adaptable,” she tells CSO. It requires understanding the language of different teams, their needs, and their limitations, which helps foster more positive interactions and discussions. “If you go in with ‘this is the only way to achieve this objective’ it creates a more adversarial relationship; whereas if it’s ‘this is what we need to achieve, how can we work together’ you’re focusing on why we need to do this and how it will help the business be successful or help our customers, and it’s a much more positive interaction and discussion,” she says. Killian O’Leary, head of technical recruitment with PlaceMe Recruitment who specializes in cyber recruitment, agrees that the ability to create shared objectives, engage stakeholders, and act as an influencer are important traits. Years ago, the CISO was very much an island who stayed in their own place, which suited a certain personality type, but that’s giving way to leading influence and collaboration. These qualities are becoming highly valued by organizations when recruiting a new CISO. “They’re looking for CISOs with the personality to gather followers who will buy into the security roadmap and go on the journey,” says O’Leary. In his experience, technical expertise is important for the modern CISO, but so is appreciating that the security posture means different things to different people, whether it’s the CIO or the CEO. This requires being across evolving threats, presenting insights in ways that resonate with leadership, and fostering a security mindset throughout the organization. “The standout CISO has got a bit of backbone because they can have the difficult conversations, influence and advise in a nice way, and understand their audience, while pushing their agenda for the betterment of the business,” he says. What can complicate matters, however, is when organizations don’t fully understand the CISO’s role, which can lead to mist-matched job specifications and a shopping list of technical proficiencies that CISOs must match. Organizations need to understand how the role will function, who the CISO will have an audience with, and who they’ll work closely with, he says. In some cases, recruiters such as O’Leary might explain how a candidate will suit the role if they’ve got more diverse experience, held positions for shorter tenure or their experience in one organization doesn’t fit the job template. “If someone’s got exposure to many different industries, challenges and types of business, that’s a more rounded experience,” he tells CSO. He argues that personal qualities such as growth mindset and being adaptable will stand CISOs in good stead to thrive in such a changeable environment. “Any good CISO sees themselves as a work in progress, never the finished article because they need to evolve with the trajectory of the role, and that includes having a more conspicuous presence in an organization,” he says. One defining feature that everyone agreed on is passion — for the role and the mission of securing the organization — which lies at the heart of a great CISO. It’s an important personal motivator and is contagious among the team, which helps fuel the commitment to the mission of protecting the organization, its customers, and employees. “A great CISO is somebody who’s got that passion for cyber and a commitment to lifelong learning and improvement,” says O’Leary. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe