Checklist for the effective CISO02 August 2021
As well as dealing with large-scale, rising cybersecurity threats and establishing secure connections for newly-established remote workforces, CISOs are under pressure to deliver more than just an organisation’s security.
How can you, as a CISO ensure cybersecurity for your organisation in these uncertain times? What are the skills required to make an effective CISO of today and tomorrow?
The challenge is clear. Today’s effective CISO needs to be a curious triumvirate of:
- Technology expert
As the technology side is very much a given I won’t add to the volume of advice that’s out there on that subject. But as The Insider addresses the people side of cybersecurity, let’s explore the other two areas to build the seven-point ‘Effective CISO checklist‘.
1. Strong business insight
To be successful, a CISO needs to look beyond cyber threats and tech-heavy conversations and focus on how security initiatives align with their organisation’s business goals.
Having a deep understanding of the business and its goals is crucial for CISO success. Supporting that is the prediction that by 2023, 30% of a CISO’s effectiveness will be aligned directly with their ability to create value for their business.
Put another way, it’s about moving the conversation from being about stopping “bad things happening” to a conversation about cyber and IT security as a key factor in underpinning business growth and success.
It’s all about people. So it follows that a vital ingredient for relationship-building and effective interactions is empathy. Especially as it really is a people business. Technology on its own cannot secure your organisation. People are your critical, and ONLY line of defence against cyber-attacks and breaches.
Once you empathise with stakeholders you understand their priorities and what drives them. This allows you to tailor your communication approach to be more relevant and impactful, leading to more effective results (see points three and five). And that doesn’t mean snappy marketing slogans. Rather it means simple, clear messaging that speaks to the key behavioural drivers of real people across all kinds of demographics.
3. Clear, simple communication
And speaking of clear messages, effective CISO communication means removing the cryptic jargon and acronyms that are so common in the security field. Lenny Zeltser, Faculty Fellow at SANS Institute covers this excellently here (if you only click one link, click this one). It follows that tailoring conversations to different audiences and explaining cybersecurity strategy simply and clearly, helps to put threats into a business context. In effect, you speak the language of your listeners.
4. Enable people
Once you are communicating clearly, what are the barriers to your people not acting and behaving with security as a priority? Is it a lack of understanding or are processes just too complex? Are the resources available to facilitate the desired secure behaviour?
How can you make security compliance easier? Are there simple steps currently used successfully in your organisation that can be shared with others?
The bad old days of repeating “compliance, compliance, compliance” are definitely gone. Just because a message is repeated often doesn’t mean that listening or retention will increase. Therefore, put yourself in the shoes of your people and think about how you can make things easier in their world.
5. Tailor communication
One size does not fit all when it comes to communication. But how do you reach people? A key point to consider is the different communication channels available and choosing the ones your unique audience(s) prefer. Is it through their mobile app? Is it video content? Maybe your focus should be on one-to-one or small group sessions whether online or in person?
You are the best person to judge what’s right for your organisation but think through the options. Spending big doesn’t always bring the biggest results. Small-scale but well-directed communication can be just as effective.
6. Work with other business areas
Successful CISOs regularly engage with more non-IT stakeholders than IT stakeholders. They also acknowledge other business unit leaders as partners. Look to employ other areas of your business for help. For example, in-house marketing and internal communication teams can bring ideas, creativity, know-how and impact to your communication programme. Bring your colleagues into your work and make it a shared challenge.
One of the many lessons we at TSC have learnt over the years is that communication has to be two-way. So, ask for feedback on your communication and training. What do people think? What do they value most? And crucially, what works best and least? Linked with your heightened sense of empathy, the more you listen to real feedback — and act on it (see point four) — the more effective your communication and training will become.
New world, new CISO skills
While new remote, or partially remote setups have created fresh technical challenges, the additional requirements of the effective CISO have led to the need for a holistic approach. Alongside securing growing cloud networks and implementing robust remote working security practices, the CISO’s role is maturing across other, non-technical areas.
Given this backdrop, being responsible for cybersecurity can feel like an uphill battle. However, the reward for honing the skills discussed will not only make you a more effective CISO. You will contribute more to your organisation and play a more valued and recognised role.
Please feel free to contact us for more information on how we can help you maintain and develop your CISO effectiveness.