Interview With an Expert: How Does a CISO Learn to Be a CISO?
The role of the chief information security officer (CISO) is quickly becoming more important as cybersecurity in general becomes more intertwined with companies' business activities. This fact in itself is indicative of the versatile nature of this position.
To learn more about what qualities a successful CISO should have, it's best to talk to one. Mr. John Hellickson, managing director, Strategy & Governance at Kudelski Security and former CISO at First Data Corporation, agreed to give InfoSec Institute readers backstage access to areas reserved for experienced security experts that exercise this profession.
What should you learn next?
1. What are the areas in which a CISO should be particularly experienced in order to be successful?
Mr. Hellickson: There are many unique factors in the CISO's path to success, and they can be quite different across companies and industries. The role used to be seen as the company's information security technology expert, often buried in the IT organization.
Today, at most organizations, the position prominently involves risk management. The CISO needs to fully understand their industry, establish a security vision for the company, and align their security program to the business' goals and objectives. Moreover, communication skills are key, with the ability to speak the business language, while maintaining the capability to get in the technical weeds with the IT, Application and Development teams across the company.
At the same time, they need to demonstrate strong leadership skills and be able to influence others to manage risk, particularly when they don't report up through their own chain of command. Since Security pretty much touches every part of the organization, the CISO becomes an asset when they manage to create a bridge between the technical approach and how they convey the positive impacts their investments and controls have on the organization.
Ultimately, the CISO must be seen as a business enabler, helping the business understand and manage risk, which often helps the company make informed calculated risks to achieve business objectives that they might not have otherwise.
2. What are the lessons you learned on the job? What you wish you'd been told before and after the first day?
Mr. Hellickson: Since I have been in the information security field for more than 20 years, I had 'ideas' on what I would do when I became a CISO, but on day one, I wish I was told to relax. I knew the role had enormous responsibility for the organization I was with, and having the fortunate, or more like the unfortunate, benefit of knowing where most of the security gaps existed over the 15 years of working there, I created unnecessary stress for myself and many of my direct reports. I realized the job goes beyond the purely technology tasks of being versed in the best ways to address issues and threats.
As you start working as a CISO, you will find out that your role is more of a business facilitator. You need to know about regulations, how to be compliant and be able to draft a path for security protocols, while also developing a relation with the IT leadership who will put into practice the stipulated tactics. You need to make sure risks are being identified, assessed equally, and understood by the business leaders who truly own that risk while being associated to the mission of the business and industry. You will become the puppeteer behind the curtain, moving the right elements and people's attention to the most important risks and threats that the company is currently facing. The modern-day CISO needs to be prepared and exude the executive presence that many of their C-Suite peers already have, while maintaining and achieving the cybersecurity goals that effectively manage risk.
3. What were the biggest challenges that you had to deal with, and what skills and experience do you wish you had from the start?
Mr. Hellickson: One of the top challenges when starting as a CISO is the ability to demonstrate to the Board of Directors that you are the right person for the role. As CISOs, we need to be able to effectively manage cybersecurity risk across the enterprise and understand the strategic business value working with different people in the hierarchy of the company. This means being recognized as a key part of the company's success. From the start, CISOs have to create awareness about cybersecurity in terms of business goals, instill confidence in the security program and its framework, while maintaining regulatory compliance, delivering upon stated roadmaps, maintaining regular discussions with Board members to keep them abreast of threats and risks and the impact to the organization.
On top of that, technical savviness plays an important role to ensure the right controls are implemented. It goes without saying, but we need to keep up with disruptive technologies such as IoT, AI, and Automation & Orchestration, to name a few, while not falling into the trap of buying and partially deploying more and more next-gen sets of technologies. People in this position will have to face other obstacles, such as recognizing the new skillsets required to successfully make the transition to embrace and support Cloud adoption, while the industry faces shortages of skilled cybersecurity practitioners. And there's always the continuing challenge of convincing the executive management that the organization needs to spend even more on security technologies when we've been investing heavily in this area for past few years.
4. What are the key attributes of a successful CISO? Do CISOs need mentoring?
Mr. Hellickson: A successful CISO engages with the business. As I mentioned before, a CISO's role today is primarily Risk Management. They are more of an advisor and strategist, while also being a technologist behind the scenes. Establishing a Security Risk Steering Committee, with other C-Suite members, is one of several effective ways to engage with business leaders. The old practice of instilling fear, uncertainty and doubt to drive support for additional budget and large projects is long gone.
The CISO should be perceived as a business partner, a team player, adaptable to the business changes and threats, and have a continuous improvement mindset across people, process and sometimes technology needs. Additionally, the CISO should be focused on self-improvement, where a coach and/or mentor are essential to becoming a very effective senior leader. As a fellow colleague often says, athletes of the highest levels always have a coach, often many coaches, from experts in their sport to nutritionists that keep them as healthy as possible. Why shouldn't CISOs? The CISO has one of the most challenging roles within any organization. They should have both a senior business leader and an industry peer as mentors, and if the organization supports it, an executive coach to improve their leadership and organizational influence skillset.
5. Communicating with the board is often a challenge for CISOs. How can they improve security communication?
Mr. Hellickson: Understand their audience. Often, their Board members are on other Boards or currently serve or have held different Executive Leadership roles at other companies. This means that the programs a CISO implements will be compared to those in other organizations. Researching Board members' backgrounds could provide useful insights on how to engage with them, from their knowledge of cybersecurity and the industries they have experience in, to the peers in the industry you should be reaching out to whom the board member may already be discussing cybersecurity with.
Additionally, when a CISO has their 10-30 minutes with the Board, they should avoid telling the board that their controls are effective. They should, instead, demonstrate this by showing how everyday activities are linked to real-world threats. For example, the CISO could explain how an improved phishing testing and security awareness program reduced the number of employees falling prey to a real-world phishing attack while the email security gateways identified and stopped many of the phishing emails from going to everyone in the organization. As a result, they attest to a minimally-impacting incident thanks to the people, process and technology controls, nearly eliminating the loss of productivity for the impacted users and reducing the time IT would have spent tracking down the malware and rebuilding systems from the ground up. Examples like this one help different members in the organization put into context the results they are getting.
In short, the CISO should embrace a strategic vision, enable business products and services, build executive presence and have the ability to get things done across the organization through influencing skills.
Source: Kudelski Security
Conclusion
According to a Bitdefender's survey issued in March 2018, 72% of CISOs admit their IT team experiences both agent and alert fatigue. To address this issue, most organizations plan to expand their IT security teams, even though the global cyberskills deficit is negatively affecting their efforts. Moreover, 69% of CISOs consider their team as under-resourced, which, in turn, puts a heavy burden on difficult security tasks (one of which is monitoring activities, according to the CISOs in the U.S.).
While there is no quick solution to these problems, we could draw some meaningful conclusions from what Mr. Hellickson mentioned. First, a CISO should be a person that possesses strong communication and leadership skills; a person that can unite different entities within an organization under the banner of "security is everyone's responsibility." Second, in order to do that, the CISO should be familiar with the risks the company faces. Last but definitely not least, he/she should also be familiar with the organization as a whole so that he/she could implement an effective security strategy that is in line with the organization's business goals.
FREE role-guided training plans
You could say "It's easier said than done," but it is certainly not an impossible mission with respect to companies where a CISO knows what to do and knows from whom to learn the things he/she does not know.