Information security leaders of the future need skills that go beyond security, according to Lee J. Kushner. After several years of maturation, CSOs and CISOs are increasingly finding the word "chief" in their title comes with different expectations than it did when the role first began cropping up in organizations a decade ago.
"Today's CISO will need to build a comprehensive skills matrix that places them on the same level as other senior executives," said Kushner, who will be leading a presentation about CISO skills and careers at RSA this week.
What are those key skills and attributes that companies are searching for now when selecting a CISO? Kushner takes us through the four most important—and advises on how security professionals can acquire them.
Technical knowledge—that connects to business operations
While technical expertise is something a CISO has always needed, Kushner believes strong technical knowledge will remain a cornerstone for the CISO—and also CSO—of the future. In fact, it is this level of knowledge that will broaden the gap and continue to differentiate senior information security leaders, from their counterparts with backgrounds solely in physical security, and make them more attractive in the selection process.
CSO resumes: 5 tips to make yours shine [CSO Insider registration required]
"As enterprises become more reliant on technology to enhance their business, the CISO is going to be required to expand and grow their technical competencies and awareness," said Kushner. "This breadth of knowledge will be a key component in the maintenance of their credibility and establishment of trust with the leadership of core technical functions—including software development, infrastructure, engineering and operations."
This also means a CISO's technical competency needs to span beyond just preparing a company to thwart emerging threats and attacks.
More security leadership tips
- The new CISO: How the role has changed
- What is a CSO, part 2
- Security and business: Financial basics
- Let's talk: Security leadership and executive communication [First CSO Magazine cover story, 2002]
- [Promo:] CSO Magazine, free to qualified subscribers!
"Instead of thinking about what a widget does and how cool it is, CISOs need to be thinking about 'How is this technology going to affect our business?' said Kushner."What is going to be the impact if we do this with our supply chain, or access management, or mobile apps or whatever it may be."
And as the business begins to evaluate new technologies to aid in their expansion, the CISO will have to help the business understand both the risks and exposure that these new technologies bring on.
"One of the best current examples of this would be the security around tablet technology and mobile devices," said Kushner. "Many organizations are thinking about ways this technology can aid sales, increase productivity, and maximize performance—however the CISO will need to be able to articulate how these new technologies expose the business to risk, and how they need to be implemented correctly to maintain regulatory compliance and adherence to industry standards and frameworks."
Business acumen—at a whole new level
"The biggest issue security folks are dealing with right now is that in the past they've used their peer group of security pros to be their benchmark of what their skills should be," said Kushner. "Now that benchmark is really the executive team."
While you may be an expert in application security, comparing yourself to a group of application security professionals will only keep you in application security and won't get you elevated to management, explained Kushner.
"You have to compare yourself to other people who are sitting in the boardroom. Many security folks say 'I don't get a seat at the executive table.' But the truth is they're not getting a seat at the executive table because the other executives aren't convinced that they deserve a seat."
Kushner recommends building skills and undertaking career investments that will enable you to be seen in that executive light. Understanding the key components of the organization&mdash:not just its security—is what will get you noticed. Learn what external factors the organization is dealing with, the obstacles it faces in the market that go beyond security and risk.
"Most security folks think they have business skills. But the way a security person defines business skills, and the way the CIO or the CFO or another C-level person defines business skills are probably two different things."
Read the controversial Undercover column From the CIO: Why you didn't get the CISO job
Communication ability—including the skill of listening
"In order for a security program to be implemented correctly you have to be able to get that message to everyone," said Kushner. "Everybody has to develop some kind of security conscience."
Kushner points out that listening skills may be even more important than speaking in the first stages of communicating with others throughout the organization.
"Understanding people and cultures is such a skill. Most people neglect that skill," he said.
For example, you won't communicate with the technical operations team the way you would with a business leader.
"Figuring out the different languages and figuring out how to translate what you're doing into a language that they respect and understand is big," said Kushner.
"Effective communication from a security leader means having a broader knowledge base, understanding the competing interests of the business, and making sense of it."
Leadership skill—no matter your current position
Of all the skills today's employer is looking for from their CISO or security manager, it is leadership, according to Kushner. And many companies may be hiring a CISO because they are seeking change within an organization and they want a CISO who can drive their security in a new direction.
"Because information security is permeating organizations in different ways that were never expected, the message and the vision for information security is one that has to be conveyed," said Kushner "Not just to the parties in the know—but also to the parties who have been ambivalent and have ignored security."
And that takes someone with leadership ability, he said.
Even if you are not in a leadership role now, you can build this skill in your current position. Leadership takes many forms, said Kushner.
"You can be an early-stage person who does a bang-up job on a project. That is leadership. Rolling out a software package or tool for a compliance issue can be a chance to take the lead. Or you can be a person who has the ability to convey thought leadership to build momentum throughout the organization to build a culture of security," he advises. "Leadership is something we can't always describe, but when you see it, you recognize it."