Traditionally CISOs focused on keeping malevolent actors out and the lights on. But the role of the CISO is fast evolving: they must develop soft skills to drive strategy through every level of the organization and translate risk into a language everyone understands. In this blog Orange Cyberdefense’s CISO for the Netherlands, Tamara Hendriksen, summarizes ten tips to help modern CISOs bridge the gap between technical and business to mitigate risk.
CISO success requires more than technical knowledge. Today, CISOs are seen not only as implementers of security but also as business enablers. They act as ambassadors for security initiatives across the organization. As a result, they need to enhance their soft skills such as communication, empathy, and team leadership. CISOs are expected to understand and mitigate risks and relay information across the organization that is digestible and easy to understand.
For a CISO to get executive buy‑in for their security roadmap, they must align it with business, ensuring it is agile and flexible enough to keep up with market changes. A CISO should understand the organization’s structure and how different departments work within its ecosystem.
To succeed, a CISO must understand the workings of the board if they do not have a seat at the executive table. A constructive relationship, for example, can improve the CISO’s ability to influence and effectively manage information security risks. There should be a process of reporting to the board so that the CISO can bring value to any decision‑making. It is essential to quantify security risks in terms of business impact.
Many CISOs work with a small team, so time is a big constraint. A lack of budget, a lack of mandate, or a board that does not understand information security and privacy risks can be time‑consuming in terms of a lack of resources and reporting. Time needs to be spent on technical aspects, but it is essential that CISOs also focus on strategy, understanding business goals, and interacting with key stakeholders. Sometimes, progress can be slow, but CISOs mustn’t get demotivated by this.
New cybersecurity software and applications are being introduced daily. With threats becoming more sophisticated and challenging, CISOs need to take a strategic approach to security to protect the organization. Changing markets will alter business processes and technologies. CISOs need clear visibility and a holistic view of what makes up the core business and strategic knowledge of the best tools being launched to protect them. The important thing is to keep learning.
CEOs today must know precisely why they are prioritizing certain organizational assets against others. Where are the most business‑critical assets or the crown jewels, where are the connections to the outside world, and where are the weak spots? Performing regular risk and business impact assessments can assist with knowledge here. CISOs must be able to provide this information to CEOs in an easily digestible manner. CISOs should immediately know where data is located, what kind of data is being protected, and which areas may require more protection.
Technical tools are essential to a CISOs role and help provide insights into vulnerabilities and issues. CISOs must not rely on technical metrics alone, however, as they can create a false sense of security. Organizations can still be highly vulnerable to insider threats or human error through phishing emails, for example.
Changing user behaviors and educating them on cyber-risk is crucial, especially as employees increasingly access content and applications remotely. For these messages to stick, savvy CISOs are taking an interactive and personalized approach so that these measures become second nature.
CISOs must adjust to the fact that increasing volumes of data are being held outside the organization. There are more connected devices, and employees use their devices and the cloud to store and work with data. CISOs must continually re‑think mobile security and ensure employees work within best practices.
CISOs need to stay one step ahead of international regulations. Due to changing requirements, organizations may need to up their data protection to ensure confidentiality and availability of data in certain regions, for example. Penalties for non‑compliance are likely to become much harsher, and the board will look to CISOs to strategize around them to meet business outcomes.
Organizations are increasingly facing fines and lawsuits over breaches and non‑compliance. Boards must understand how critical a breach is, its legal implications could impact a business process, and how company compliance can affect a violation.
Ultimately, executives need a understanding of the cyber-risks to make smart decisions that work best for an organization. They don’t want to see security spend for security’s sake but need to know that sufficient protection is in place to mitigate risk as far as possible. And they want to know what that risk is in business terms.
If you would like to learn more about it, download the full CISO's guide to effective leadership and get yourself a head-start.Download CISO's Guide