It was interesting to note that this year's RSA Conference 2014 focused on the CISO leader, and how CISOs and other security professionals can expand their roles throughout the organization. The first full day of the conference included a half-day session discussing the many aspects of business that affect CISOs, from audits to understanding employee behavior and dealing with Boards of Directors. Historically, many security people will refer to these as "soft" skills—but as demonstrated in several sessions, there's nothing "soft" about them.
The ability to deal with nontechnical, non-security constituents across the enterprise (and outside of it) is perhaps the most important skill a CISO can have. While it's certainly important to understand the concepts of information risk, security controls, and other components of a good security program, it is the CISO's responsibility to communicate what the security team does and why it's important to a broad range of people across many different areas of the business. The RSA Conference's presentations about leadership training for CISOs stressed the following skills as being important:
- Surviving Audits: One of the most painful things that can occur for a security team is to hear that auditors are coming. Often, auditors seem to be focused on things that are of little to no interest to tactical security practitioners as they aren't as technically savvy. However, the reality is that auditors provide a incredibly valuable service. They provide an independent, objective eye to the value that security programs provide, couched in terms of risk reduction to the business (which is, after all, why security people exist inside the enterprise in the first place). For a CISO, neither auditors nor their audits should be terrifying. To understand the mind of an auditor, a CISO should have at least a fundamental understanding of auditing standards and should have deep knowledge of the audit criteria that's being applied to their scope of business. A good CISO leader should view an auditor as a partner, but that doesn't mean the CISO should simply roll over. Auditors should be challenged by the CISO where their findings are open to interpretation. Most importantly, a CISO should manage for security and risk, and compliance will naturally follow—this should never be the other way around.
- Surviving Teams: Leadership is not a position within a company; it is not a job title. Ultimately, leadership is about social interaction within teams and the ability to influence and change individuals, behaviors, and activities. For a CISO, leadership is about bringing to bear all of his or her power—including both positional power, such as the job title and the opportunity to reward good behavior, and personal power, as a subject matter expert or trusted person—to make changes that benefit the organization and further benefit the CISO and his or her teams by default.
- Surviving a Board of Directors: One of the most terrifying personal experiences anyone in a large organization can face is the possibility of being engaged to communicate directly with the Board of Directors. For many CISOs, this kind of request results in lots of perspiration, shortness of breath, and sleepless nights. As with many things, however, preparation is key. A CISO should want to engage the Board as often as possible and should fight for this to ensure that he or she can completely and fully communicate the state of enterprise risk to the people who are most closely associated with the shareholders. A CISO should know how to communicate clearly, objectively, and with zero ambiguity. With those skills, surviving a Board of Directors can become an almost—but perhaps not quite—enjoyable experience.
Clearly, the role of the CISO is highly important in an organization, and the CISO's ability to master the nontechnical aspects of the role is vital to his or her success.