Emotional intelligence is becoming an increasingly important skill for CISOs to master as their roles continue to broaden, according to a new study by F-Secure.
A series of interviews conducted with relatively small number of CISOs (28) from the US, UK and other European countries suggested that the role of CISO is no longer purely technical in nature. Two-thirds said they understood the growing importance of emotional intelligence in enabling them to understand, empathize and negotiate with people both inside and outside of their organization.
Additionally, three-quarters noted that their role has shifted to covering every aspect of technology being deployed in their organization, as opposed to focusing on network risk. This was particularly the case for CISOs working in healthcare, manufacturing and retail industries.
The report, entitled CISOs’ New Dawn also found that over half of those interviewed were experiencing an increase in responsibilities as a result of new privacy regulations. More than a third revealed they were considering leaving their position or changing professions, suggesting that the new landscape may be creating more stress and burnout for CISOs, which has previously been highlighted as a significant problem.
Encouragingly, most CISOs felt secure in their posts and 65% saw themselves as critical to their business.
Tim Orchard, executive vice-president, managed detection and response at F-Secure, commented: “Today, CISOs are expected to understand and mitigate a wide variety of risks, and then relay that information – regardless of how technical it is – to everyone, from boards and company employees to external security professionals, regulators and even law enforcement.
“The shift to relying more on ‘soft’ skills began years ago. However, the pandemic highlighted how CISOs that proactively work with people inside and outside their organizations can be leaders for their companies.”
One of the interviewees, Scott Goodhart, CISO Emeritus at the AES Corporation, said: “For companies, the technical aspects related to cybersecurity risks have become indistinguishable from other business risks. It just doesn’t make sense to treat attacks as only an IT or cybersecurity problem if they can potentially cost companies thousands or hundreds of thousands of dollars due to downtime, extortion payoffs, stolen intellectual property, etc.
“In a way, technical-only CISOs have become a thing of the past and replaced by a role that’s explicitly relied on to address risk in a much broader, holistic way for organizations.”