CXO Priorities

The changing CISO skillset – communication is paramount

Marc Lueck, CISO EMEA Zscaler, explains that while historically the role of CISO has demanded a fervent dedication to security, contemporary requirements extend beyond mere security expertise. Today, effective CISOs must also excel in business leadership and communication.

Marc Lueck, CISO EMEA Zscaler

The changing CISO skillset is by no means a new conversation. Indeed, over the past decade, there has been a gradual but notable shift in what the role entails. Where once it might have been known as the role that says ‘no’ and was blamed for any perceived or real security incident – the title was famously said to stand for Chief Impeding Sacrificial Officer.

Increasingly, the key to being a modern CISO isn’t cyber-related at all. Instead, it is about having the ability to understand and distinguish between the different modes of communication required to serve the ever-expanding needs of the workforce and business. Faced with a faster-evolving threat landscape than ever before, communicating upwards, sideways and downwards about risk level is crucial for any CISO looking to keep their organisation secure.

Communicating upwards

As my colleague pointed out in a recent related article, lately, there has been an industry-wide focus on the growing role of CISOs as educators for their board of directors. As more governments consider sweeping cybersecurity regulations, organisational leadership is looking to CISOs for guidance on how to react. This is a welcome shift from the more transactional interactions CISOs had with boards 10 years ago.

Staying on top of the latest cybersecurity developments is challenging, and predicting the legal and financial implications of various existing and proposed cybersecurity legislations can be particularly mind-bending. Many recent cybersecurity regulations, for example, only apply to government agencies, but this does not mean they will have no impact on the private sector. When the government adopts a regulation, it often rejects partnerships with any organisation that does not meet the same standard.

In this sense, businesses seeking government contracts are also governed by cybersecurity regulations that affect the public sector. Some examples of this are DORA, SREN or NIS2. The NIS2 Directive – the EU-wide legislation on cybersecurity – is supposed to boost the overall level of cybersecurity within the EU. Under this directive, businesses identified by the member states as operators of essential services – including key digital providers such as search engines, cloud computing services and online marketplaces – now have to take appropriate security measures and notify relevant national authorities of serious incidents.

Trying to ensure an organisation’s cybersecurity posture complies with these regulatory environments could be its own full-time job. Part of the challenge CISOs face is knowing how to get the board to understand what the real risk to the organisation is and avoiding any moments of panic that board members so often experience when threat risk is communicated too late or without a recovery plan in place. With the pace of regulatory change not likely to slow, the ability of CISOs to communicate upwards will be vital for continued business success.

Communicating sideways

As cybersecurity’s importance has risen through the organisation, so too has the stature of those in charge of it. With C in their title, the CISO is already a business leader – that hurdle has been jumped. But with this, sideways communication has become essential.

The CISO has a wide-ranging responsibility; accountability for the security of the whole business as well as every digital identity, device and system with it. If the security of any of these elements were to fail or be put at risk, the organisation would be in jeopardy and business stability impacted. It is rare, however, that a CISO will directly deliver on this accountability. This is because whoever within the business owns the endpoint (devices, system, monitoring and management) is ultimately responsible for delivering its security. Often, this falls under the Chief Information Officer, but other C-suite members are also getting in on the act as technology becomes more central to their operations.

To account for this, CISOs need to communicate with their C-suite counterparts about their shared responsibility and agreed goals. They must also combine this with storytelling, negotiation and selling to ensure their engagement in the vision and mission at hand. It is only through this that CISOs can build the depth of relationships needed to be able to count on their fellow leaders to deliver against security goals and objectives that feed into the organisation’s overarching business goals.

Communicating downwards

Downwards communication is arguably the most important type of communication, especially when it comes to bringing teams along on the journey or getting them galvanised behind certain ambitions. There are many people within the security function – analysts most prominently – who don’t want to spend their days looking through incident log files. Rather than doing this monotonous monitoring, analysts are usually far more interested in providing their organisations with deep-level insights that can help them unearth potential weak spots in their defenses or breaches that have already happened.

By engaging with the parts of the workforce who have a genuine interest in delivering solutions to keep businesses safe and make them go faster, CISOs can help contribute to greater staff retention – which is increasingly difficult in a highly competitive market. This, in turn, leads to better outcomes through more workforce consistency. A CISO who knows how to communicate goals downwards and ensure a team is excited about delivering against them is one who is going to have better staff retention in the immediate and long term.

The bigger picture

The role of the CISO was forged at a time when organisations needed someone to be responsible for the IT security ‘stuff’. As technology has evolved and become central to business success, so has the responsibility and required skillset of the CISO. With less focus on tools, threats and even risk management than ever before, for the successful modern CISO, nothing is quite as important as figuring out how to make their business more efficient, connected and therefore better performing, through stronger communication. Similarly, where once understanding technology was core to the role, today’s CISO needs a more consolidated awareness of the business as a whole and the ability to engage in dialogue about it.

The CISO job has always required people who are flexible, adaptable and passionate about security. But in today’s world, it is as much about business leadership and communication as it is about the security aspect itself. In a forward-thinking organisation, if a CISO cannot understand and talk business, they have little to no chance of effectively selling business priorities central to their mission to the board, nor of getting the rest of the organisation bought into the actions required to achieve them.