The last 12 months have been a tumultuous period for cyber security leaders. Whilst the job is already filled with enough twists and turns to keep any seasoned CISO on their toes, COVID-19 brought a wealth of additional challenges, some of which were unprecedented in their size and scope.
Take the massive cyberattacks on the Colonial Pipeline in the United States, one of the most significant attacks on critical infrastructure in history.
The disruption of the infrastructure that transports 45 per cent of the oil consumed on the US’s east coast had far reaching consequences, although it was later revealed that the hackers weren’t nation-state backed and even issued an apology for the devastation.
It goes to show just how complicated the current threat landscape is. If adversaries are targeting organisations by chance, presumably everyone is a target. Add in the headaches caused by remote working and an ever-expanding perimeter and it’s clear that CISOs have had a challenging year.
However, despite the array of extraordinary challenges CISOs have dealt with, their efforts are paying off. According to the latest Information Security Maturity report from ClubCISO, 88 per cent of security executives said their existing security infrastructure has held up well during the pandemic.
While this serves as a testament to the work that CISOs have been putting in over the last few years, maintaining that momentum will be a key challenge as the pandemic persists through the remainder of 2021.
As part of this, CISOs will need to be more engaged with business decisions, develop their own skills, and address key challenges such as the growing cyber security skills shortage.
Becoming a business leader
Traditionally, the role of the CISO was confined purely to the IT department, as an internal manager of information and data security. They were often viewed purely within this context, and while they may have appeared at board meetings, their expertise wasn’t valued as much as it could have been.
Now boards are starting to recognise the intrinsic importance of security to business objectives, given that a breach can cause catastrophic damage to organisational finances and reputation. As a result, CISOs are increasingly consulted for strategic guidance and are expected to support business priorities.
In the latest ClubCISO report, business knowledge was viewed as three times more important to CISOs as technology knowledge when ranking key skills for the role. Yet, despite its importance, only a minority of CISOs are confident in their skillsets within those areas.
It’s important for CISOs to address this, as business skills and ability to communicate strategy with stakeholders will be fundamental going forward.
CISOs should look to get more involved with business discussions and request additional business training as part of their personal development plans. As Dave Stapleton, CISO at CyberGRX told CSO magazine, “If CISOs do not fully understand the mission of their business or cannot effectively communicate the impact of security on that mission, then their effectiveness will be hampered at the very least.
“In some scenarios, this inability to communicate could even result in poor decision-making, by the CISO or leadership, that directly and negatively affects the security of the organisation.”
Addressing talent and skills retention
We all know that bringing cyber talent into an organisation is difficult at the best of times, but things have gotten even harder over the last 12 months.
The ClubCISO report suggests that number one contributor to CISO stress levels was a ‘lack of the right skills in the security team,’ illustrating how complicated this issue has become in recent years. In fact, a study from Burning Glass revealed that filling cyber security role takes 20 per cent more time than typical IT roles and COVID has only made this harder.
As difficult as it is, CISOs will need to ensure they have as much high-quality cyber talent on board as possible, as not doing so will undoubtedly lead to overworked teams that will not be able to contend against modern adversaries.
This was reflected in our ClubCISO data, with 52 per cent of respondents citing “insufficient staff” as a key concern impacting their ability to deliver against objectives – making it the most cited concern in this category.
The best approach to solving this issue will depend on the organisation, but it might involve utilising some out of the box thinking to bring on new talent.
Security leaders should look for talent that display the right aptitude and motivation as a starting point, using a skills development strategy to fill the gaps where needed. In a recent article for Forbes, Christian Espinosa, founder and CEO of Alpine Security, urges organisations that a four-year degree shouldn’t be the ticket into cybersecurity teams, as often softer skills are more valuable.
“First, I look at the applicant’s motivation for the field. I want to know why they want to get into cybersecurity,” Espinosa says. “A lot of people want to get into this industry because they know they can make a lot of money, but they don’t really care about protecting client data. That person will likely not have the same staying power in their career as someone with internal motivation.”
Organisations should also lean on vendors and service providers for support, which can help fill the gaps where the right cyber talent is unavailable.
Building your emotional intelligence
As mentioned earlier, CISOs are traditionally known purely as ‘tech people’, which has meant that the need for interpersonal skills have taken more of a backseat.
Modern CISOs should look to buck this trend, as they’ll need to consistently connect with multiple stakeholders and teams throughout the organisation. As part of this, they’ll need to build their emotional intelligence, which extend to both empathy for others and self-awareness of themselves.
As security teams are often extremely busy and under stress, part of showing leadership involves making their health and wellbeing your primary concern. Showing empathy and understanding their concerns helps keep them genuinely engaged and interested.
It’s also important to understand your own biases and where your knowledge gaps are, constantly acknowledging where you can improve. This helps to build a diverse, inclusive team, but also improves your ability to effectively communicate with the wider organisation.
Ultimately, the CISO of the past can’t be the CISO of the future. The role needs to evolve going forward, with powerful engagements across the entire organisation and some out of the box thinking for the execution of more innovative security strategies.
To learn more about how CISOs are handling pandemic-related uncertainty and why their role is shifting in the new normal, download the 2021 ClubCISO Information Security report here.