HerrBullermann - Fotolia
Although the function of the chief information security officer’s (CISO’s) role has not fundamentally changed since the first recorded CISO was hired nearly 30 years ago, the advent of Covid-19 in 2020 caused a shift in their responsibilities and priorities, and brought a new emphasis on the application of soft skills, according to a report.
Omnisperience interviewed CISOs from all over the world to compile the study, The CISOs’ new dawn, on behalf of Finland’s F-Secure, and found that rather than executing security as an isolated practice within the organisation focusing on network security, CISOs increasingly found themselves coupled with day-to-day operations across the whole technology stack, with risk management becoming more important.
This has also led to a rebalancing between technical capability and emotional intelligence, or EQ, which is, in turn, creating new opportunities for CISOs to become business leaders, said F-Secure. The changes were most pronounced among those working in the healthcare, manufacturing and retail sectors, all of which have been highly impacted by Covid-19.
“Today, CISOs are expected to understand and mitigate a wide variety of risks, and then relay that information – regardless of how technical it is – to everyone, from boards and company employees to external security professionals, regulators and even law enforcement,” said Tim Orchard, executive vice-president of managed detection and response at F-Secure.
“The shift to relying more on ‘soft’ skills began years ago. However, the pandemic highlighted how CISOs that proactively work with people inside and outside their organisations can be leaders for their companies.”
Scott Goodhart, CISO emeritus at electricity company AES, who participated in the study, added: “For companies, the technical aspects related to cyber security risks have become indistinguishable from other business risks.
“It just doesn’t make sense to treat attacks as only an IT or cyber security problem if they can potentially cost companies thousands or hundreds of thousands of dollars due to downtime, extortion payoffs, stolen intellectual property, and so on. In a way, technical-only CISOs have become a thing of the past, replaced by a role that is explicitly relied on to address risk in a much broader, holistic way for organisations.”
F-Secure said its interviewees tended to recognise that successfully discharging their responsibilities hinged on their ability to demonstrate that they embody the view that EQ is important to a business. This is far from business school jargon, it noted, as the prominence of EQ is increasingly recognised in regulatory requirements for public companies, for example in France.
Read more about CISOs’ work
- Ignorance of cyber issues is leading to misplaced confidence in security in many organisations, as CISOs struggle to make themselves seen and heard.
- Following cyber security best practices used to be enough, but after the SolarWinds supply chain attack, CISOs now have to rethink all their security protocols.
- C-suite may not always understand the ROI of security efforts, which is it may be a good idea for CISOs to work more closely with CFOs to learn how to best communicate security’s value.
Two-thirds of those who took part in the study said they understood the increasingly vital role that EQ plays in enabling them to understand, empathise with, and negotiate with both their users and those outside their organisations.
Such abilities are not just prized, but increasingly necessary for more immediate reasons, as study participant Nathan Reisdorff, CIO at New England Law, pointed out. “When you go to remote services and distance learning, people call when panicking and become less tolerant to wait for the answers,” he said.
CISOs recognised they were also now being called upon to converse across the diversity of their engagements with users and stakeholders, conducting communications in a tone that those uninitiated in the ways of cyber security can understand.
This includes, for example, communicating in plain English, avoiding jargon and IT-speak, and encouraging users to provide clear and open communication in the opposite direction. This could also address the idea that CISOs are seen as unapproachable, even invisible, as another recent report produced for telco BT found.
F-Secure also found more CISOs were increasingly prepared to accept that they would be called to account for incidents beyond their control, such as the impact of shadow IT implemented on the quiet, or the reluctance of other users within an organisation to accept their own responsibility for security.
Successful CISOs are also now extending the notion of EQ out to the security teams under their command to better support those who report to them, and are understanding that teams need to consider why someone is making the effort to reach out to them, rather than focusing on technical resolutions.