Why CISO roles require business and technology savvy

Source: CSO Online

Publish date: 12th October 2022

Listening and communicating to both the technical and business sides is critical to successfully leading IT teams and business leaders to the same end-goal.

Of all the crazy postings that advertise for CISO jobs, the one asking for a CISO to code in Python was probably the most outrageous example of the disconnect about a CISO’s role, says Joe Head, CISO search director at UK-based search firm, Intaso. This was a few years ago, and one can only guess that the role had been created by a technologist who didn’t care about or didn’t understand the business—or, inversely by a businessperson who didn’t understand enough about technology.

In either case, the disconnect is real. However, Head and other experts say that when it comes to achieving the true, executive role and reporting to the CEO and board, business skills rule. That doesn’t mean, however, that most CISOs know nothing about technology, because most still start out with technology backgrounds.

In the 2022 CISO survey by executive placement firm, Heidrick & Struggles, most CISOs come from a functional IT background that reflects the issues of the time. (For example, in 2022 10% of CISOs came from software engineering backgrounds, which tracks with the White House directive to protect the software supply chain.) The report notes that the majority of CISOs have experience in the financial services industry, which has a low risk tolerance and where more money is spent on security.

The survey also indicates that only a small core of CISOs (working primarily for the Fortune 500) rise to the executive level with the combination of business and technical responsibilities that come with the role. In it, more than two-thirds of CISOs responding to the survey worked for companies worth over $5 billion. So, instead of bashing a CISO’s lack of IT skills, the real need lies in developing business skills for the technologists coming up the ranks.

Expected CISO people, process, technology skill mix can vary

“There is no one correct answer about how technical a CISO needs to be. My advice is that CISO’s must remain current on emerging technology, vendor strategies, and be able to ensure that technical projects and their implementation don’t generate more risk for the organization,” advises Renee Guttmann, a virtual CISO advisor and former CISO of several Fortune 50 companies.

Since the vast majority of CISOs start from a technical background, the onus is on them to learn the proper business leadership and high-level communication skills required to interface with stakeholders and CEOs, VC firms, outside investors, regulators. “Yes, technical skills are important. But early in your career, you need to hone your business skills so you can talk to a range of individuals and understand how the business operates,” Head says.

In the UK, where cybersecurity is less mature than in the US, he says that it’s harder to find the technical and business combination needed in an executive-level CISO, and that most security managers are more akin to “glorified engineers.” He’s been working to help candidates enhance their business savvy, adding, “The most successful people I see are those IT professionals who are building on their business skills by going to back to school for more business education.”

One such example is Bob West, CSO for Prisma Cloud, a division of Palo Alto Networks. In the late 1980s, he worked as a senior systems officer at Citicorp. Then after learning from his peers the value of business skills, he earned his MS in information systems management in the 1990s before starting at JP Morgan as a security architect. He then grew into the role of CISO for its Bank One retail group. Then, after that, he was enterprise CISO at Fifth Third Bank.

Being technical is somewhat important for a CISO, West says, “But more important is being a solid leader and to function as part of a leadership team. It’s important to understand where the business is going so a security strategy has proper business alignment. Establish and manage relationships with the rest of the leadership team. And, if you’re not technology savvy in every area, then know who to ask.”

Would-be CISOs: Find a champion, be a champion

West recommends seeking out peers and leaders who can communicate to the business side as well to their IT teams. As an example, he points to a boss whom he considered a mentor, who was a proven technology leader but not a security pro. Yet he was able to fix a broken security program that nobody else could. West attributes his mentor’s success at the time to telling good stories to leadership and board of directors. “When my boss hired me, he said, ‘Know how to tell a good story and know your audience.’ It’s a different track when talking to a board of directors than it is when talking to a CIO or internal auditor,” he adds.

Communication begins with active listening, adds Barbara Filkins, a consultant at Syntax2Semantics LLC. Filkins also started out with a technical background and worked her way up to C-level consulting for medical providers and exchanges while achieving her Master’s in Information Security Management from SANS Technology Institute. Listening, she says, leads to better communication and, most importantly, understanding of what you need to address in terms of the domain being protected, whether healthcare, aviation, or water management. Filkins has worked across all these sectors.

“Being successful as a CISO really is a balancing act because the CISO must understand the technical aspects so they can communicate with, and gain the trust of, their technical staff. They also need to deal with the programmatic and business issues that their organization faces, such as cost justification, risk management and those type of things. Not everyone that is technically skilled can communicate their expertise and where it fits into the business need,” she explains.

Multiple paths to CISO success

It’s only in recent years that the CISO role has been elevated from a back-office function to a true C-suite leader and business enabler, says Joyce Brocaglia, global cybersecurity practice leader at executive recruiting firm, Alta Associates. Even if the role and job requirements ultimately mature, she cautions against believing there is or will be a “one size fits all” CISO role. Although the title may be the same, the role, responsibility, reporting structure, number of staff, maturity of the department, culture of support, and overall measure of success can all vary, she explains.

“It’s hardly ever as simple as they don’t have the right technical or managerial skills,” she explains. “Sometimes, the CIO who has a strong technology background favors hiring someone more technical than may be necessary for the role. Other times, the hiring manager and their peers or key stakeholders who are engaged in the interview process aren’t aligned on the job description and what they are truly looking to accomplish in the role, so we at Alta help them find the balance they need.”

True executive CISOs are rare enough that they’re landing $1 million pay packages and more, Fortune reports. To get ahead, Guttmann advises future CISOs to update their business education, attend industry events, and join local networking opportunities.

“The CISO who makes it a point to understand business culture, threats to their business, how to create appropriate criteria for product pilots, time to implement, system dependencies, and long-term operations requirements is worth their weight in gold,” Guttmann adds. “The CISO who can then package this data up for stakeholders and executives and obtain the support and funding is worth their weight in diamonds.”