By Mr. Suer
Recently, I got to ask members of the CIOChat about their CISO colleagues. To be fair, this was an above-board and positive discussion. And their guidance should be helpful to all CISOs especially those wanted to build more effective relationships with their business counterparts.
CISO Communication Skills
Ed Featherston, Vice President for Cloud Technology Partners, started this discussion. Ed said communication skills is a must-have for today’s CISOs. He said that effective CISOs must have the ability to explain cost/risk/benefit in business terms to get buy-in and support. Chris Petersen, an IT consultant, agreed with Ed and asserted that all C-suite personnel should be effective and transparent communicators. Josh Wright, Chief Technical Architect for PwC, said, however, that we have to educate CISOs.
They need to understand that “not knowing how the sausage is made doesn’t make people dumb, it makes them vulnerable to bad decisions”. EG Nadhan, Chief Technical Strategist at RedHat, agreed with Josh by saying that security experts are notoriously bad at talking to normal people.
At the RSA Conference, Seth Meyers, the comedian, even made a joke about this problem by saying it must feel good being at a conference where everyone actually knows what you are talking about.
Steven diFilipo, CIO for the Institution for Transformational Learning, didn’t disagree with the sentiment of Seth Meyers. diFilipo said, “a CISO that communicates risk in a manner that does not matter to others will not have their burden for long”. Peter Salvitti, CTO for Boston College, extended diFilipo’s thought by saying there is no such thing ever as “over-communicating” risk, compliance, and governance.
CISO effectiveness is tied to their creativity in communication”. Steven Fox, Senior Cybersecurity Officer for the US Department of Treasury, shared here by saying that most of his customers see opportunity where his team sees risk. Featherston confirmed Fox’s thinking by saying “security balance/tradeoffs is like walking a tightrope over a tank of hungry sharks”. CISOs need to get business people to understand the risk of falling.
For this reason, Featherston says a hallmark characteristic of a competent CISO is the ability to clearly and effectively communicate complex security ideas.
Become more like a business-facing CIO
Melissa Woo, CIO of Stoneybrook University, said here that good CISOs should have the same traits as a good CIO. Promotion opportunity? These include being a communicator, strategic, etc. Sharon Plitt, CIO of Binghamton University added on that CISOs and CIOs must be able to communicate risk to business partners and be able to help with identifying and managing risk.
In sum, she said that everyone in IT today needs to be a bit of a business person or they risk becoming irrelevant. Business knowledge is essential. Pascal Viognier, CIO of Orange, said here it is better to have a security-oriented CISO with strong business acumen. Josh Olson, Chief Information Officer for Michigan Tech University, agreed and went said he believes the CIO and CISO should be able to swap roles on demand. Woo said she did not find Josh’s thought controversial because the skill sets are so similar. Nadhan had a somewhat different opinion here. He said if the CIO is a business person, then the CISO should be a security business person.
The CISO drives policy & governance and manages compliance and risk-based upon strategic business initiatives. diFilipo agreed and said that a CISO should understand how to deliver on business needs. For this reason, he said that security is a component of service/product delivery. At this point, Jeffrey Pomerantz added that his research at Educause shows CISOs spend a lot of time on supporting institutional strategy.
So there you have it, CISOs should be more like a CIO. In other words, they should be a business leader. If you are looking for more ideas on being an effective CISO, I have put together a brief on the CISO function with data. Here is a link to that brief.
Enlightened CISOs set the bar higher
About the Author
Mr. Suer is the Director of Solutions and Industry Marketing at Protegrity Corporation. Mr. Suer is focused upon solutions for key audiences including CIOs, CFOs, Chief Enterprise Architects, and Chief Data Officers and the application of Protegrity to industries. He is also the facilitator for the #CIOChat and a Contributor to CIO.com. Prior to Protegrity, Mr. Suer was the Chief Platform Evangelist at Informatica. Much of Mr. Suer’s experience is as a BI practitioner. At HP and Peregrine, Mr. Suer led a product management team applying analytics and big data technology to the company’s IT management products.
Mr. Suer has also been a thought leader for numerous industry standards. For COBIT, Mr. Suer has written extensively. Most recently, he published in ISACA News “Extending COBIT 5 Data Security Guidance”. Mr. Suer led new product initiatives at start-ups and large companies. Mr. Suer has, also, been a software industry analyst. Mr. Suer holds a Master of Science degree from UC Irvine and a 2nd Masters in Business Administration in Strategic Planning from the University of Southern California.