Recently, I got to ask members of the CIOChat about their CISO colleagues. To be fair, this was an above-board and positive discussion. And their guidance should be helpful to all CISOs especially those wanted to build more effective relationships with their business counterparts.
CISO Communication Skills
Ed Featherston, Vice President for Cloud Technology Partners, started this discussion. Ed said communication skills is a must-have for today’s CISOs. He said that effective CISOs must have the ability to explain cost/risk/benefit in business terms to get buy-in and support. Chris Petersen, an IT consultant, agreed with Ed and asserted that all C-suite personnel should be effective and transparent communicators. Josh Wright, Chief Technical Architect for PwC, said, however, that we have to educate CISOs.
They need to understand that “not knowing how the sausage is made doesn’t make people dumb, it makes them vulnerable to bad decisions”. EG Nadhan, Chief Technical Strategist at RedHat, agreed with Josh by saying that security experts are notoriously bad at talking to normal people.
At the RSA Conference, Seth Meyers, the comedian, even made a joke about this problem by saying it must feel good being at a conference where everyone actually knows what you are talking about.
Steven diFilipo, CIO for the Institution for Transformational Learning, didn’t disagree with the sentiment of Seth Meyers. diFilipo said, “a CISO that communicates risk in a manner that does not matter to others will not have their burden for long”. Peter Salvitti, CTO for Boston College, extended diFilipo’s thought by saying there is no such thing ever as “over-communicating” risk, compliance, and governance.
CISO effectiveness is tied to their creativity in communication”. Steven Fox, Senior Cybersecurity Officer for the US Department of Treasury, shared here by saying that most of his customers see opportunity where his team sees risk. Featherston confirmed Fox’s thinking by saying “security balance/tradeoffs is like walking a tightrope over a tank of hungry sharks”. CISOs need to get business people to understand the risk of falling.
For this reason, Featherston says a hallmark characteristic of a competent CISO is the ability to clearly and effectively communicate complex security ideas.
Become more like a business-facing CIO
Melissa Woo, CIO of Stoneybrook University, said here that good CISOs should have the same traits as a good CIO. Promotion opportunity? These include being a communicator, strategic, etc. Sharon Plitt, CIO of Binghamton University added on that CISOs and CIOs must be able to communicate risk to business partners and be able to help with identifying and managing risk.
In sum, she said that everyone in IT today needs to be a bit of a business person or they risk becoming irrelevant. Business knowledge is essential. Pascal Viognier, CIO of Orange, said here it is better to have a security-oriented CISO with strong business acumen. Josh Olson, Chief Information Officer for Michigan Tech University, agreed and went said he believes the CIO and CISO should be able to swap roles on demand. Woo said she did not find Josh’s thought controversial because the skill sets are so similar. Nadhan had a somewhat different opinion here. He said if the CIO is a business person, then the CISO should be a security business person.
The CISO drives policy & governance and manages compliance and risk-based upon strategic business initiatives. diFilipo agreed and said that a CISO should understand how to deliver on business needs. For this reason, he said that security is a component of service/product delivery. At this point, Jeffrey Pomerantz added that his research at Educause shows CISOs spend a lot of time on supporting institutional strategy.
Parting remarks
So there you have it, CISOs should be more like a CIO. In other words, they should be a business leader. If you are looking for more ideas on being an effective CISO, I have put together a brief on the CISO function with data. Here is a link to that brief.