The job of the chief information security officer (CISO) is increasingly complex and critical, given how an organization can watch its reputation and bottom line sustain irreversible harm following a breach or attack. At the same time, government regulations and compliance issues have added additional responsibilities for cyber leaders.
While CISO salaries have kept up over the years, formal training for security leaders is lacking.
A study released by ISC2 looked at the issue of formal training for cybersecurity leaders (as well as those tech and security professionals on the leadership path) and found that less than 63 percent of respondents reported that they have received such training. The vast majority—about 81 percent—learned leadership skills primarily through observing other leaders.
“Allowing cybersecurity professionals to learn primarily by observing leaders may perpetuate bad habits, even if there is a side benefit of showing team members how not to act in positions of leadership,” according to the report, which is based on responses from 259 cybersecurity professionals. “Organizations will be better prepared for cybersecurity risks if they institute comprehensive formal training.”
The ISC2 report also found that respondents have specific ideas of what skills make a good cybersecurity leader. Communication is by far the most needed quality with 85 percent of those surveyed ranking that first.
Other critical leadership skills include:
- Strategic (41 percent of respondents)
- Open-Minded (37 percent of respondents)
- Technically Skilled (33 percent of respondents)
- Decisiveness (21 percent of respondents)
- Business Acumen (20 percent of respondents)
For industry observers such as Trey Ford, CISO at Bugcrowd, security leaders need these types of soft skills to better manage their security teams and establish their reputation with the C-Suite and board of directors at a time when cyber hygiene is critical.
“We can't understate the importance of building those soft leadership skills, empathy, communication, legal and ethics, or corporate strategy—leaders speak the language of their audience, not necessarily their domain of expertise,” Ford noted. “Successful communication is based on what is heard, understood, and acted upon—not necessarily what was said or presented.”
Focus on Communication
With skills such as communication and strategic thinking in high demand for cyber leaders and executives, Ford noted that many CISOs who are technically proficient will look outside of traditional areas of study to hone these skills.
“I coach CISOs and their leadership team to see themselves as orchestra conductors—the soft skills they need to be successful in building and resolving tension across partner teams they work with, hold accountable or serve,” Ford told Dice. “Technology leaders do not learn these skills or develop them in university. Instead, they often find them in executive education, night school or business school investments—or through the school of hard knocks—being on the job.”
For observers such as Alberto Farronato, vice president of marketing at Oasis Security, communication is key to cybersecurity but also to other parts of the enterprise such as DevOps, IT and individual business units. He used the example of identity and access management (IAM) to highlight how difficult it is to secure identities to ensure proper security… and how this all hinges on clear lines of communication.
“Securing non-human identities involves multiple stakeholders, including identity teams, cloud security engineers, DevSecOps teams and IT operations. Success in this area requires leaders who can clearly articulate priorities, align teams around shared goals, and foster ongoing collaboration,” Farronato told Dice. “Cybersecurity leaders must also communicate effectively during incidents, ensuring clear, consistent messaging to mitigate damage and restore trust. Investing in communication and leadership training—both on the job and in the classroom—for cybersecurity professionals is not a luxury; it’s a necessity.”
The lack of formal leadership training in many organizations can hamper effective communication and response, especially during a time of crisis following a breach or attack. By not investing in training, enterprises may suffer greater ripple effects following an incident, said Agnidipta Sarkar, vice president of CISO advisory at ColorTokens.
“The biggest challenge is the severe lack of formal avenues to learn and practice leadership skills in managing business. The situation becomes complicated when business leaders dilute the expertise needed to run a cybersecurity function by hiring incompetent individuals and do not train them,” Sarkar told Dice. “This leads to lack of focus on the controls through which cyberattack proliferation can be contained and disrupted. This is one of the key reasons behind seemingly innocuous attacks seem to bypass operational controls.”
What Organizations Can Do to Improve Security Leadership Training
For many organizations, investing in training and leadership development can pay long-term dividends.
Although it constitutes a small portion of a tech pro’s overall development, formal training—especially around leadership—can make a significant impact on a leader’s growth, particularly when they are exposed to new ideas or concepts, given time to practice, and then have the opportunity to reflect on how implementing those concepts helped the team or organization be more successful, said Kate Terrell, chief human resources officer at Menlo Security.
Leadership training can also help management address what Terrell calls VUCA—Volatile, Uncertain, Complex, and Ambiguous—that complete daily enterprise operations.
“Providing leaders with the tools needed to successfully lead their teams in these environments maximizes the chance of success,” Terrell told Dice. “For a business to achieve its results, you need the right leadership and talent who is highly engaged and enabled to perform. So much of that comes from leadership. Why would you leave this to chance? Further when providing formal leadership development programs you send a strong signal to the leader about their value to the organization—you are willing to invest in their growth. The company also aligns approaches across leaders and creates consistency of experience across your organization.”
For experts such as Brandon Williams, CTO of Conversant Group, organizations are missing out on chances to upskill their current employees, which can encourage more tech and security pros to try the leadership path.
“Organizations can upskill their leaders by integrating leadership training into career development activities and develop structured career progression plans that include milestones for both technical and leadership growth,” Williams told Dice. “I also encourage participating in leadership-focused workshops and conferences, and certifications, like CISSP or Certified CISO, which include leadership components. I believe in regularly assessing the leadership skills of cybersecurity managers through peer reviews, 360-degree feedback and performance evaluations. Businesses must make space for leaders to grow and develop. Otherwise, the pressing priorities of the day will win out, and these are often technical and security priorities, not be a better leader priorities.”
