Recently, I asked members of the #CIOChat about their CISO colleagues. This was a positive discussion and the guidance from CIOs should be helpful to all CISOs who want to build more effective relationships with their business counterparts.
Ed Featherston, VP Principal Architect, Cloud Technology Partners, started this discussion saying communication skills are a must have for today’s CISOs. Featherston said that effective CISOs must have the ability to explain costs, risks, and benefits in business terms in order to get buy in and support. IT consultant Chris Petersen agreed, asserting that all C-suite personnel should be transparent communicators. Josh Wright, Technology Lead and Chief Technical Architect for PwC’s Talent Exchange, however, said that CISOs need education: “Not knowing how the sausage is made doesn’t make people dumb, it makes them vulnerable to bad decisions.”
E.G. Nadhan, Chief Technical Strategist at RedHat, said that security experts are notoriously bad at talking to, “(normal) people.” At the RSA Conference this year, the comedian Seth Meyers even joked about this problem, saying it must feel good to be at conference where everyone actually knows what you are talking about! Steven diFilipo, CIO for the Institution for Transformational Learning, agreed with Seth Meyers’ sentiments saying, “A CISO that communicates risk in a manner that does not matter to others will not have their burden for long.” Peter Salvitti, CTO for Boston College, extended diFilipo’s thought by saying there is no such thing as “over-communicating” risk, compliance, and governance: “CISO effectiveness is tied to their creativity in communication.”
Steven Fox, Senior Cybersecurity Officer for the US Department of Treasury, shared that most of his customers see opportunity where his team sees risk. Featherston confirmed Fox’s thinking by saying, “security balance/tradeoff is like walking a tightrope over a tank of hungry sharks.” CISOs need to get businesspeople to understand the risk of failing. For this reason, Featherston says a hallmark characteristic of a competent CISO is the ability to clearly and effectively communicate complex security ideas.
Melissa Woo, CIO at Stony Brook University, said good CISOs should have the same traits as a good CIO, which includes being strategic as well as a good communicator. Sharon Pitt, CIO of Binghamton University added that CISOs and CIOs must be able to help with communicating, identifying and managing risk with business partners and that everyone in IT today needs to be a bit of a business person or they risk becoming irrelevant.
Business knowledge is essential. According to Pascal Viginer, CIO of Orange, it is best to have a security oriented CISO with strong business acumen. Josh Olson, CIO at Michigan Tech University agreed, he believes the CIO and CISO should be able to swap roles on demand. Woo said she did not find Olson’s thought controversial because the skill sets are so similar, but Nadhan had a somewhat different opinion saying that if the CIO is a business person, then the CISO should be a security business person who drives policy and governance and manages compliance and risk, based upon strategic business initiatives. diFilipo agreed that a CISO should understand how to meet business needs and that security is a component of service and product delivery. Here, Jeffrey Pomerantz added that his research at EDUCAUSE ECAR shows CISOs spend a lot of time on supporting institutional strategy.
So there you have it, CISOs should be more like a CIO; in other words, they should be a business leader. Does this resonate with what you’re seeing and experiencing at your brand?
If you are looking for more ideas for being an effective CISO, I have put together this executive brief on the data-driven CISO function: Enlightened CISOs set the bar higher, check it out and do let me know what you think!