Skills and traits of a business-savvy CISO

What does it mean to be ‘business-savvy?’

A broad and somewhat vague term, being business-savvy can cover everything from having a formal business education or background to demonstrating a strong understanding of an organization’s mission and industry or being responsible for hands-on business deliverables.

When an organization stresses the need for a CISO to be business-savvy, they are looking for someone who is “well rounded and experienced with all aspects of the business,”says Peter Jakola, a technical recruiter at Darwin Recruitment.

This focus on business value is understandable in today’s corporate environment. According to CIO‘s recent Pandemic Business Impact Survey, CEOs’ top three priorities for IT leaders are Leading digital business initiatives, improving remote work experiences, and upgrading IT and data security to boost corporate resiliency.

“Sitting in on meetings with developers, sales teams, marketing, customer service will provide a holistic view of the organization and how it’s operating,” Jakola says. “Sometimes managers and leaders get siloed into division and lose sight of what is going on at the company. A business-savvy CISO has a pulse on all aspects of the business, not just the security operations.”

This all-encompassing perspective is key because CISOs today are expected to “bring innovation and ideas to the company and explain them in the context of business goals and risks,” says Kelly Doyle, managing directorat executive recruiting firm Heller Search Associates.

The skills you need

Gaining an understanding of the business, of course, only gets you so far. It’s what you do with that knowledge that sets you apart.“Once they understand the business, [the business-savvy CISO] possesses the skills needed to craft a strategy and secure buy-in across the business, leadership team and the board to implement the plan,”Doyle says.

“A business-savvy CISO will understand technology but can explain it to stakeholders in business terms. He or she is someone who is naturally curious about business and knows that understanding the organization fully will make them a more effective CISO. This leader will also be able to communicate with stakeholders and put threats into a business context effectively.”

In terms of personal traits that the CISO should have, self-awareness is among the most important, says Jeff Snyder, president of Jeff Snyder Coaching and SecurityRecruiter.com. That is, “knowing the difference between what one can do and what one should do. Understanding how to adjust one’s communication for the various audiences they encounter. They should have well-developed emotional intelligence.” This self-awareness and ability to adjust the message to the audience is key because CIOs will be called on to sell security strategy to business leaders, have in-depth technology discussions with their team, and also inspire employees to recognize and avoid risky behaviors.

Show your stuff

When it comes to the top skills that CISOs should possess, storytelling just may be the most important of all. For the CISO job candidate, storytelling is an excellent way to help a potential employer get to know them quickly. Not only does it enable the CISO to discuss key business and technology topics in the context of the conversation, it also demonstrates the individual’s thought process.

“Your ability to craft compelling business stories about your prior experience and showing your true understanding of the business – not just technology – is key,” says Doyle. “Be prepared to tell a story about what you did in your last organization. Did you implement a strategy and roadmap and gain board level buy-in? That’s a great story to share. Did you create meaningful metrics to show security’s strategic value? If you were at a company that was shifting to digital, can you speak to how you helped to secure critical data? Even better, if your company recently started selling new digital products, were you involved in product development? Or if you bring specific experience in a highly regulated industry, speak to your experience there.”

“Being able to sell yourself and your skillset to a company is extremely important,” says Jakola. “When recruiting for CISO and other executive level roles, companies are looking at hundreds of applicants that all have solid resumes, work experiences, and education backgrounds”

“The way to differentiate yourself from the pack is to provide specific ways you can bring immediate value to the company. Do you have experience working in the same industry? Great, make it a point to tell them. Did you successfully complete a project that you know this company is planning or in the process of working on? Even better. Explain in detail how you oversaw this project, the headcount, budget, and the money saved or revenue generated. Companies want to know that hiring you will bring value to their team, so do not be shy in providing examples on how you provided value for your current and previous employers.”

Quite simply, those CISOs who can tell a compelling story about how they bring value to an organization or how they helped manage a key project are the ones that will most likely land the top jobs or will best advance their careers.