How Today’s CISOs Can Adapt to New Requirements

Sivan Tehila, CEO and Founder Onyxia and director of the Master of Science in Cybersecurity program at the Katz School of Science and Health.

Getty

With the SEC implementing a four-day window for disclosing cybersecurity incidents, chief information security officers (CISOs) are feeling the pressure as their responsibilities shift from day-to-day threat management to overseeing broader business operations.

Given their broad responsibilities, effective Chief Information Security Officers (CISOs) must also expand their leadership skills to ensure organizational compliance, translate cyber risk into business outcomes, and ensure enterprise continuity, profitability, and resilience.

For many chief information security officers, this means having to acquire entirely new skills.

The Changing Role of the CISO

In the past, CISOs reported to the CIO and worked with IT teams. In the face of growing industry threats, they are becoming increasingly independent and often report directly to the CEO.

While the SEC’s proposal to have at least one director with relevant cybersecurity experience on the board was not adopted, 59% of companies still plan to have their CISOs report directly to the board, and just over a third plan to increase the frequency of reporting, according to a report by Gartner, Inc. (subscription required).

But because chief information security officers often come from a technical background, IANS found that only one in 10 chief information security officers was ready to serve on a board — with criteria for “readiness” including 10 years of infosec experience, experience in non-cybersecurity roles, ability to work with a broad range of stakeholders, advanced education and a diverse perspective.

Given the ongoing skills gap in the industry, this is an opportunity for non-cyber leaders with experience in risk and compliance to enter a completely new part of the business and perhaps advance more quickly. In particular, female leaders and others who are underrepresented in cybersecurity could find an exciting new path in the field.

How can today’s chief information security officers keep up if they are not prepared for their increasing responsibility?

Tips for Today’s CISOs

As the role evolves from a more technical to a business leadership role, today’s CISOs should hone their executive-level presentation skills and financial acumen, as well as their ability to communicate and coordinate with leaders across departments.

As leaders of companies and industries, CISOs must understand all lines of business and strengthen relationships with diverse business leaders to increase cybersecurity engagement across teams. This can be achieved through regular meetings and ongoing communication with members of the C-suite and key stakeholders.

For example, finance leaders will be more willing to invest more in cyber if they understand the potential financial implications of a regulatory fine and/or a cyber breach or attack. To gain buy-in, CISOs must be able to translate their security program’s measures into business-level results—and do so at least quarterly. That means strengthening budgeting, finance, and reporting skills to effectively highlight and demonstrate the ROI of their cybersecurity program.

Rather than investing in their technical and computer skills as they have in the past, chief information security officers can focus on technologies that enable a data-driven approach to managing their security program.

Those looking to capture the attention of their boards and collaborate across teams are also seeing a greater need for soft skills, such as presentation and storytelling. To develop these, CISOs can take storytelling and communication courses or work with a coach on presentation skills.

Effective leadership has always required ongoing development, but in most cases, we are moving forward in our areas of expertise. As the CISO role continues to change, growing pains are to be expected, but it is more important than ever for these key leaders and the organizations they protect to invest in expanding their expertise.

Cybersecurity cooperation

While the SEC has shifted the legal burden to CISOs, a cyberattack puts an entire organization’s reputation and customer data at risk and can cost millions of dollars. This makes cybersecurity breaches everyone’s problem, meaning that even as CISOs take the lead, CEOs and boards share the responsibility.

Fortunately, cybersecurity is a remarkably collaborative field, which means CISOs shouldn’t feel pressured to reinvent the wheel. As AI transforms the industry at hyperspeed, it’s imperative that we continue to share and adopt best practices and technologies that enable CISOs to protect our businesses and keep our world safe.

The Forbes Technology Council is an invitation-only community of world-class CIOs, CTOs and CTOs. Do I qualify?