- Matthew Todd
Recently, I was asked to consider the question, “Do CISOs need to be techies at heart?” Having become a CISO after a history of technical roles, I could see why one might think the answer was a very clear “yes,” and yet I feel very strongly that the answer is “no.” A CISO should be able to rely on a solid team to handle the “techie” stuff; if a CISO spends too much time in the weeds, he will miss the broader picture. Especially in a small- to medium-sized business, a CISO needs to be much more than just a techie—really, a good CISO should be a jack-of-all-trades, and nearly a master of most.
Information is the heart of any business, so a CISO is very nearly the same as the chief risk officer, especially at a smaller firm. A good CISO needs to understand the risks to the organization beyond the traditional IT risks, and be able to articulate how the IT controls fit within the framework of the business. He needs to be a good executive, and be able to weigh the risks of business objectives vs. IT controls to help the company make the right tradeoffs. He needs to be able to take the long view, and give other executives the confidence that the CISO deserves a chair at the executive table, because he has the right objectives at heart.
A good CISO is a good listener: It’s too easy to take a draconian approach and lock down everything except the essential technology. Ultimately, users will always find a way around the controls, even without realizing they are doing so. I’ve found that users can have no idea that the notes they are taking on their personal tablet are copied off to servers somewhere in the ether. Instead, a good CISO will observe how the staff operates, ask about what frustrates employees or what tools they want to use, listen carefully to what they say, and then come up with solutions that both meet the needs of the business and were clearly informed by the staff. A good CISO will make sure employees have what they need to do their jobs well and safely, based on their own input.
A good CISO is a good marketer: Most employees think the CISO's job is to keep them from doing things they want to do and keep viruses off their computers. Instead, a CISO should promote the idea that security and risk management are a collaborative effort, where everyone works toward a common goal. During orientation, I like to deputize every new staff member personally as a junior security specialist, playing an integral part in the protection of our corporate and client information. Good security means that the staff can rely on systems running when it needs them. It means employees can trust that the right people have access to the right data at the right time, and the wrong people never have that access. A good CISO will help promote good security in a way that helps the business market itself as trustworthy – not only for staff, but also for clients, shareholders and the public in general. Good security should be good for business, and a part of any in-depth business presentation.
A good CISO is a part-time legal and legislative analyst: It’s not enough to read the news and alert the IT team of the next advanced persistent threat (APT). A good CISO will be a critical resource and a trusted partner for the legal team, and a source of information and analysis about cybersecurity legislation as well as be a part of the contract process for both clients and vendors, ensuring the security needs are appropriately addressed while properly protecting both parties. A clear understanding of insurance comes in handy for the CISO, especially when it comes time to discuss coverage, cost and risk with the chief financial officer CFO.
A good CISO speaks the language of audit: He will understand the goals of auditors—clients, regulators, or external auditors—and anticipate their needs. A good CISO knows that the objective is to demonstrate sound controls, not just check the box, and that the ultimate goal is always to have solid processes and controls that protect the business.
A good CISO knows that very few of his or her peers understand the language of cybersecurity and risk, but is able to explain the role of security in the context of each department. Department heads need to understand that security is not about getting in the way of business, but is essential to everything. If the development team takes security seriously early in the development cycle, and incorporates it into the development process, it will spend less time cleaning up the mess of a vulnerability later. If the operations team understands the need for access controls, and works with the security team to ensure that proper controls are in place, operations won’t be shut down later when someone with the wrong access does the wrong thing. If the HR team understands the risks around proper and timely assignment of roles and responsibilities, it will work with management to be sure onboarding and off-boarding processes are efficient and timely.
Advice for CISOs: Be a good leader and a good listener. Understand your company’s goals, client’s concerns, and employees’ needs, and be a part of the solution. Be a valued resource and a trusted partner. Promote good security by making sure it’s good for business. It doesn’t hurt to be a techie, too—you still have to understand what your firewall engineer is talking about. Always keep the best interests of all of your customers (in the broadest sense of the word!) at heart.