Need a CISO? No need to look for that tech boffin

This is a guest post by Yvette Lejins, resident CISO at Proofpoint Asia-Pacific and Japan

The role of the CISO (chief information security officer) has become increasingly important as more business leaders better understand how they protect their organisations. CISOs now exercise greater influence on important decisions, recommending and even approving key strategies. As the role rises in prominence, however, most organisations struggle to recruit qualified and experienced candidates.

Ten years ago, the CISO role was not mainstream in the Asia-Pacific (APAC) region, other than in banking and finance. Now in many organisations the CISO often has the CEO’s ear, and is considered a peer to the CIO and chief technology officer rather than working under them in the depths of IT.

CISOs are in short supply and high demand—not surprising, considering the overall cyber security talent gap, which was estimated globally at 2.72 million in 2021. APAC has the biggest shortage (1.42 million). Enticed by new challenges, higher pay, and other incentives, many CISOs don’t stay in their job longer than a few years. Eighty-five percent of surveyed CISOs globally admit they are actively looking for a new role or would consider one if a prospective employer approached them.

The high turnover and inability to fill senior positions leaves deficiencies when organisations increasingly need a strong cyber security leader to guide the business through security initiatives. That is why you need to think creatively when hiring your next CISO—and look beyond the traditional path to ensure you find the talent and skills needed.

Why you should expand your recruitment strategy

Traditionally, most CISOs come from a technical background. One recent survey, for example, found that 84% had majored in computer science and 44% came from IT. But CISOs should be business-focused leaders first, and technologists second. They must have as much business acumen as technical skills, if not more. Unless your company is exceedingly small and requires a hands-on practitioner at the helm, consider technical expertise a “nice to have” rather than a requirement.

I have met many talented and exceptional CISOs who were accountants, lawyers, teachers, and even a botanist in their former careers. They may not have a deep level of technical knowledge, but they know how to ask the right questions, are tech savvy, translate cyber security threats into business implications, and guide teams into implementing effective strategies. Those are the skills that help successful CISOs drive your business forward while ensuring you are balancing risks.

It may surprise you what kind of career can build the right skill sets that transfer well to the CISO field. When I was a CISO at an airline that services the APAC region, I mentored a pilot who was interested in aviation cyber security after Covid-19 impacted her role as a first officer for a Middle Eastern airline. I helped her navigate how her pilot’s risk and safety-management skills easily translated to a cyber role. In the almost two years since she approached me, she has changed course to become a risk manager for a large, well-known insurance company in Europe. I have no doubt she is on a fast track to becoming a CISO, should she choose to do so.

The most important skills every CISO needs

First and utmost, cyber security leaders need skills that will help them guide people, get agreement for security programmes, and steer the business on a path that aligns security with its overall business objectives and goals. These are the most critical skills to look for:

  • Communication — the CISO must articulate cyber security threats and priorities to a wide range of stakeholders, as well as drive the security conversations. This includes both fast-paced activities during a major incident and more typical settings, such as board presentations. CISOs are also frequently the face of the business, internally and externally, for security matters.
  • People and leadership — CISOs do not work in a bubble. People and leadership skills expand on communication proficiency to help your CISO foster relationships and influence peers and teams across multiple functions. This individual also must work with marketing, corporate communications, legal, operations, and other departments, and building relationships with them makes the CISO more effective when a crisis emerges.
  • Risk management — cyber security is all about managing risks based on your highest priorities and biggest threats. As a risk expert, the CISO has the job of understanding how cyber risk connects to other risks across your business, including the financial implications—and then articulating this risk to your leadership team.
  • Empathy and emotional intelligence — these skills are becoming more valuable for a CISO who must understand and empathise with people within and outside of the organisation. Striking the right tone in important conversations takes emotional intelligence and an ability to communicate in a relatable, non-technical way.
  • Strategic — to protect data effectively, the CISO needs to not only understand the bigger picture but also have a roadmap for analysing and filling security gaps, whether you are outsourcing security activities or managing them in-house.
  • Incident management — security incidents are all but guaranteed in any organisation and the CISO needs to own the room. Exuding confidence and providing knowledgeable guidance are especially important when your incident response team is under pressure and working in a high-stress environment to contain a threat. In essence, you need to be the air traffic controller.

Besides these core skill sets, consider other needs based on factors such as your industry and the size of your company. For example, if you are a software company, software development skills may be useful for understanding the core business operations. For a smaller company, tactical experience is more imperative. But even in those circumstances, don’t focus solely on the technical aspects while downplaying a non-technical background and soft skills.

One avenue that many organisations miss during the CISO search is a look inside their current talent pool to identify candidates. Are there strong leaders in other areas who could cross over into the role? If you are a large organisation, you may already employ the right candidate. If this person has an interest in cyber security, the right mentality, and the drive to succeed, taking this non-traditional recruitment path will pay great dividends for your business.

Data Center
Data Management