In many organizations, it is the chief information security officer (CISO) who oversees efforts to fight threats such as data breaches, ransomware and phishing. In fact, companies with a CISO or chief security officer (CSO) had stronger cybersecurity training programs, according to IDG’s 2020 Security Priorities Study.
However, Dave Lewis, global advisory CISO for Cisco's Duo security business, notes that the job is primarily a managerial role, so although a security background is helpful, not all people in this position have that. In fact, people with a natural talent for looking at things in a different way can receive training in security, according to Lewis, who has a degree in archaeology and later began graduate work in cybersecurity.
While he was studying archaeology, Lewis taught himself to hack into computers just out of an “innate curiosity,” he says. That drive to learn served him well. If you are a security professional working up the ladder or just starting out in tech and want to know how to become a CISO, here are five things you will need to learn to do.
Communicate Business Risks and Priorities
CISOs must be able to communicate how cyber risks relate to business risks to executives and board members. As CISOs communicate risks, they also need to share strategic priorities around cyber resilience, noted Curtis Simpson, CISO of security firm Armis. Cyber resilience entails withstanding and recovering from cybersecurity threats.
“CISOs, cyber teams and their partners will not be able to remediate or mitigate every risk facing the organization,” Simpson said. “Focus is key, and focus should always be based on risks and exposures that are most likely to disrupt what matters most to the business.”
The job also involves communicating to external auditors about the risk to data and intellectual property, Lewis noted: “First and foremost, you want to be able to be strong in risk management because as a defender you have a fiduciary responsibility to protect your organization.”
Manage the Human Element
Lewis said CISOs not only need to know how to keep systems secure but also easy to use for business professionals. This is what he calls “managing the human element” for staff that may not be technically savvy or are working remotely.
“As a security practitioner, especially in the CISO role, you want to always be cognizant that everything you do is to secure the organization but not at the cost of slowing down people's ability to operate,” Lewis said. He adds that a CISO should “democratize security” by providing people in areas such as finance and HR with the intuitive tools they need to work securely.
During the COVID-19 pandemic, organizations are being especially careful about allocating funds, so it requires a CISO to act like a chief financial officer, according to Lewis.
In this role, you should be able to identify the biggest risks to the organization and map out a budget to address them. To learn the financial aspects of the job, potential CISOs don’t necessarily need a financial background, according to Lewis. They could take a course from a company like Coursera or edX to learn how to manage the financial parts of leading the security team.
Understand Process Management
A CISO also must know about process management, such as removing or adding staff to reduce security risks, Lewis said.
“If that is not done in a way that it makes sense, you could really be exposing your organization to undue risk that could potentially cause harm,” Lewis said. “You want to make sure that that process is not only refined and tested, but you have to constantly go back and review the processes, because things may have changed.”
If an employee leaves in a rage, the CISO must know how to protect company email networks and financial records from this person, Lewis said. The CISO should learn automation as part of onboarding and offboarding, he said. Knowledge of business intelligence applications would also be helpful in spotting anomalous behavior.
He has used a process management system called ITIL to reduce the risk to an organization by reviewing the changes that are being made. ITIL is a framework of practices for delivering IT services.
Think in a Strategic Fashion Instead of a Tactical Approach
A managerial role such as a CISO involves an approach that is more strategic than tactical, according to Lewis. A mentor taught him the importance of thinking at a high level rather than concentrating on a particular tool or security incident.
“It's very much about changing your way of thinking, looking at a long-term plan, and then having people with that tactical ability work for you on your team that can then address the tactical issues,” Lewis said. “You are there to make sure you're managing the business of securing for your organization, and you have folks that do the tactical for you.” People conducting tactical tasks such as running compliance or audits or managing firewalls will need clear direction from the CISO, he added.
Gaining knowledge in these areas should prepare a future CISO for success.