As the senior security role inside many corporations continues its inexorable elevation away from front-line defense, many practitioners see their roles gravitating to a more strategic position. Today’s contemporary CISO is no longer defined by days strapped to a SIEM, tracking threat intel feeds or making sure technical hygiene is maintained. A far broader skillset is now required.
As risk posture is increasingly entwined with company value, the job has become as much about people and process as technology. The ‘unicorn’ security person sought by many boards now, is someone who understands how to put cybersecurity into a wider business context. Those with the ability to make strategic decisions founded in the commercial imperative of the organizations they work for, are highly sought after.
This, of course, doesn’t just mean being a hard-nosed economist, a sound technical understanding is obviously still at the heart of the day job. However, now more than ever it is about being able to take a far more rounded view of all the elements required to minimize risk.
One of the primary factors in delivering an effective security posture is the ability to oversee human assets. While hardware and software form a digital battleground upon which the all-important risk calculation is played out, the deployment and management of people is fast becoming the all-important factor for dictating how successfully this war is waged.
This has been a gradual industry change. However, with the sudden fragmenting of the workforce, many CISOs are being forced to update their human resources playbook to reflect teams who, for the most part, are now scattered in bedrooms and kitchens across the globe.
Some interesting challenges arise here. First and foremost, how do security leaders encourage the necessary rapport with those they manage, while remote? All of a sudden, the comfortable blanket of meeting rooms, face-to-face chats, watercooler moments and evenings in the pub has been whipped away. Many fear this will sap the interpersonal relationships that motivate and bind the people they manage. A by-product of such a situation is a reduction in cross-team working, leading to more siloes, and a gradual strangling of productivity.
The CISO who excels in 2020 is one who adapts to this situation and finds innovative new ways to collaborate and build relationships with their charges on digital platforms, and in other creative ways.
As much of a security issue as they create, cloud-based collaborative tools can be a huge driver for shared working and a bonding tool. A failure for a CISO embrace such platforms may be the undoing of some as younger, more digitally savvy, colleagues may be waiting in the wings. Staying relevant as the world changes is key.
The broader issue of geographical distance also risks manifesting as a talent problem for CISOs. Hungry to learn and cultivate their skills, career development is still crucial to many in the security team. Today’s senior leader needs to ensure the legacy way of doing this, typically physical training in person, is updated to reflect the world of mass home working.
The same goes for the initiatives larger companies undertake to develop security talent from within. The agile CISO needs to innovate, finding ways for pushing people into in-house infosec teams through programs of evangelization, all while remote.
Once talent has been identified – thought also needs to be given to the onboarding process. After expending resources hiring or creating staff internally, a solid initiation program while remote is key to avoiding the kind of cultural awkwardness that could arise from bringing new people into the team while remote. As everyone knows, first impressions last.
The underlying answer to many of these problems lies in creating a culture which truly embraces the new world of work. This is more than merely accepting it is OK to work from home but removing the stigma entirely. To do this, CISOs need to lead from the front and extol the virtues of flexible working, such as exercise breaks, time with friends and family – while at the same time adopting a pragmatic approach to performance. Finding a balance between productivity and flexibility is key. It may even help address some of the burnout endemic in the industry.
Acceptance of these macro level changes is not something the CISO should be doing in isolation. Across the entire C-Suite, many are coming round to the idea that returning to the office is not a binary choice and a blended office/home hybrid will become the norm. In fact, management teams are celebrating the momentum created by their organization’s ability to embrace change and drive innovation and are weighing up which ‘emergency measures’ need to be made permanent. Many have the possibility of driving huge unexpected efficiencies.
The CISO of 2020 is one who is aware of all this and is willing to innovate. Someone who is prepared to listen to the business context and be agile. Historically, the job has been defined by technological innovation.
However, a similar mindset must now be taken to driving change in the people and processes they manage. This year may have been equal parts unexpected and unsettling, however it also presents huge opportunities for the brave.