Risk management as the essential skill for a CISO

[harlan4096]

Last year, looking at feedback from my peers on the industry’s focus and issues, I had mixed feelings. A year later, it turns out the results of our new survey are even more interesting. The complete report, called “Cybersecurity through the CISO’s eyes: Perspectives on a role,” which our experts made in collaboration with 451 Research, is available below.

The very first impression you get as you look at the results of these two studies is this: Information security in general, and the role of CISO in particular, are becoming more and more important for business — at least, according to roughly 300 of my infosec peers. Definitely a good sign. So is the fact that more and more respondents have listed “risk management” and other business skills among the essential ones for their role.

There is one point on which I cannot agree with many of my peers, however. Some still say technical competencies and intimate knowledge of corporate IT systems are the key skills for both their work and their further development. It seems to me that even though technical knowledge is the basic requirement for a CISO — and even though CISOs do need to be conversant with new technologies —the industry must realize that modern IT systems are far too complex for CISOs, even potentially, to have the full picture, technically speaking.

Moreover, information systems are going to get even more sophisticated (which most respondents do expect). Therefore, a CISO’s technical competencies, though important, are secondary to the development of skills such as risk management, effective team management, and business communication. Today, staff is what matters.

Understand people, not systems

In fact, both IT systems and security technologies are now sophisticated enough to free highly specialized professionals to make business-critical decisions. Of course, that shift makes trust on the team even more important than ever. On the one hand, the information security department chief has to be able to trust the team’s specialists. On the other hand, they, too, must trust the CISO’s judgment and decisions — not blindly or without the ability to voice their opinions, but with a common cause and mutual professional respect.

According to the respondents, winning budget increases for procurement of systems is sometimes easier than hiring more information security professionals. Buying as many shiny new systems as possible may sound great, but it is much more important to identify the key skills and competencies indispensable for in-house experts and those that can be outsourced. In fact, given the shortage of specialists in the market, I think it is a good idea to regard outsourcing as an opportunity to expand the department’s capabilities and respond to business needs faster.
...

Continue Reading