The Big Ask - What Does(n't) it take to be a CISO - and why does that matter?
Up against it, all the time
In the ruthlessly fast-paced, take-no-prisoners environment of IT security, the work of IT security teams is never done. In one sense, they’re firefighters. Trying to anticipate, grapple with, and shut down threats is their bread and butter. But the Chief Information Security Officer has to be so much more than just a firefighter. The role is multi-dimensional and dynamic. And as we shall see, when it comes to requirements, it is also a study in contrasts. Add to all this the considerable expectations and pressures that a CISO is likely to face, and it’s small wonder that the demand for qualified staff to fill the role is higher than ever, and far outstripping supply.
A study in contrasts
Making sense of the grab bag
The job title speaks for itself, it seems: the CISO is “responsible for developing and implementing an information security program” that includes “procedures and policies designed to protect enterprise communications, systems, and assets from both internal and external threats.” Pretty self-explanatory, really—until we get to the small print, which you can find in actual recruitment ads for a CISO—and that’s where the trouble starts. The list of responsibilities can go on and on, thus demanding a huge grab bag of skills and experience. Thus a single ad might include all of the following responsibilities:
- seeing to the design of security systems
- reviewing security policies
- scheduling audits
- ensuring regulatory compliance
- managing all security teams, including those focused on IT
- ensuring that disaster-recovery mechanisms—covering the detection, isolation, and neutralizing of intrusions—are in place
- championing the organization’s security strategy to senior management
But that’s not the biggest challenge: in fact there’s a pattern, which gives us the above-mentioned study in contrasts, in mutually competing requirements.
Strategist and tactician
For instance, the CISO has to take the long view, anticipating trends in cyber-hacking and responding accordingly with budget requests, recruitment drives (and other HR headaches), and the ongoing acquisition of technology.
But they also have to be ready for that call at 2:00 am should their organization be targeted by a cyber attack, so they can direct the response. And in that context, they must be a master tactician, a sleuth who can run digital forensic investigations, perhaps even a psychologist—even as they wear their technician’s hat. They’re well prepared for the 2:00 am call, of course—not only because they go to sleep with their sleeves rolled up, but because they’ve also helped set up the organization’s risk-management and IT-security audit programmes in the first place.
So some recruitment ads might be a bit more honest if they opened as follows: “Looking for a whole lot of maddening challenges that can pull you every which way? Consider a career as a CISO.”
Learner and teacher
Now, some of the contrasting skills and talents required do at least complement one another.
In the world of digital security, nothing is standing still, or even moving slowly. And it’s not just that technological change continues to press on at a mad pace. Hackers are relentless and are constantly on the lookout look for any opportunity to get hacking. But to make matters worse, these days they need less and less technical prowess to pull off the most daring hacks imaginable.
So a talent for learning is key. And even that must take place at more than one level: out of curiosity, for investigative and sleuthing purposes, and for the good of the organization as a whole (on which more below).
But more important yet is the ability to educate—to communicate to staff, and especially senior management, a number of key points: What is security, including digital security, in the first place? And what is required to ensure that it is maintained? The latter would include emphasizing, for instance, that it takes more than just money to buy in more technical specialists to run more-advanced solutions.
This ability to educate is as important is ever. The fact is that a lot of senior managers still regard CISOs as glorified technicians. And that goes hand in hand with an unhelpful view of IT security issues as problems to be addressed from within IT departments—that is, as technical problems, as though there were no such thing as phishing, for instance. (Phishing is all about using psychological trickery to get an employee of an organization to give up highly valuable information they could never have imagined themselves parting with—until it actually happens.)
Gracious yet forceful
Being in a position to educate senior management on the actual nature of IT security requires a seat on the executive board or at least a direct reporting line to one of its members. And if there’s no such direct access, the CISO has to fight for it. So they have to be a bit of a street fighter, so to speak—but a gracious one.
Skills soft and hard
This contract between gentle and tough finds an analog in the set of skills and talents the ideal CISO will have.
The reality is that IT-security staff are often not happy—far from it. Burnout is common, and the shifting dynamics of the overall picture mean that, when it comes to retention, human-resource departments are having to contend with revolving doors that are starting to spin out of control.
Second, happy or not, there are not enough IT-security staff, and the gap between supply and demand is growing, even as the threats to IT security, and to organisations themselves, are growing relentlessly, with hackers becoming more ambitious and ruthless, even as they need less and less in the way of specialized skills to pull off successful attacks, thanks to the malware-for-hire phenomenon.
So CISOs need to understand the nature and causes of this shortage, and to be imaginative and creative in coming up with solutions—including by looking in every sector for top IT-security talent. And they need to be a dab hand and a past master at motivating staff, so they can hang onto the best talent they have.
A solid track record—and a willingness to keep learning
The CISO needs to have a wealth of experience—7 to 12 years working in IT, of which at least 5 must have been spent managing and security operations—and perhaps some further specialized training, depending on the role. By that time they’ll have picked up a whole range of skills in DNS, DDOS, risk mitigation, ISO 27001, SOX compliance, intrusion-detection protocols, and so on.
Now there are a lot of folks out there who know all about all of that. But a CISO also has to be able to take several steps back, constantly assess what they “know”, and be willing to unlearn the old and learn the new. They must be able to demonstrate a solid track record and be willing to keep learning.
Be focused—and juggle
Here’s one kind of solution to one aspect of the skills shortage within digital security: take the staff you have, and give them all the training they could possibly need to fend off the latest cyber threats. That will stop the high attrition rates across the industry.
Except if it doesn’t, in which case you’ve just given a whole slew of staff the training they need to command a higher salary or daily rate at some other company that is also battling the same shortage.
So you need to focus on fending off threats to your organization’s existence, while juggling any number of competing considerations around staff satisfaction, retention levels, and loyalty. And while you’re doing all that, don’t forget that other organizations are also engaged in this same struggle.
Pulling off such a broad range of tasks naturally requires not just a familiarity, but a detailed engagement, with the organization’s shorter- and longer-term business objectives. It is these that will serve as your main guide as you work to turn innovations into Innovation; changes, into Transformation.
And of course, those business objectives will themselves also be shaped to a degree by the need to meet one and another set of outside requirements. One case in point is the need for compliance with the main Information Security standard (ISO 27001), which “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization”, and which can therefore be a further help to you as you carry out all the responsibilities in the aforementioned grab bag.
Passion versus commitment
There’s a lot of talk on LinkedIn and other recruitment sites these days about the need to have a passion for your job. A passion for marketing. A passion for communication. A passion for people. As though passion itself had some magical quality.
In fact, the capacity to help save an organization’s hide requires something more than, and different from, passion. It requires a mindset capable of shouldering a commitment to an organization’s very survival. There is even a sense in which all the skills and the talents listed above are just starting pre-requisites that take a back seat to that commitment, that drive.
And finally…an attractive contrast
All of these challenging contrasts having been noted, that fact remains that every challenge presents opportunities, and the challenges outlined here are no different. Most fundamentally, the increasing and ever-evolving threats from cyber attacks mean that more and more resources are being poured into defense. For instance, Bank of America’s CEO reports that “cybersecurity is the company’s only business unit with no budget limit.” That’s not enough in itself—but for those CISOs who can meet the Big Asks outlined here, it’s certainly a start.
In order to ensure that CISOs have all the skills at hand to excel in their role, EXIN created a certification specifically designed with CISOs in mind. For more information, see EXIN Certified Information Security Officer.
 These include “meeting the changing workforce with new hiring and recruitment, and professional development strategies, beginning with improved communication of expectations and, importantly, expanding reach beyond traditional channels” (GISWS, p. 7).
 2017 Global Information Security Workforce Study, p. 5.
 The 2017 Global Information Security Workforce Study notes:
The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries, and employees who leave companies at rates that only increases among younger generations creates both a disincentive to invest in training and development and a conundrum for prospective employers: how to hire and retain talent in such an environment?
 Hacking the Skills Shortage, p. 8.