The business landscape has undergone seismic shifts of late. Digital transformation is a leading priority for most businesses, and that’s been accelerated by the impact of the pandemic. Increased regulatory demands around data security and privacy have also led to a shift in business perspectives around security.
F-Secure set out to understand how all of this upheaval has changed the role of the CISO, surveying UK, US and European CISOs to discover how their responsibilities, challenges and skills have changed.
Here, we ask them what they found:
1. What new challenges are CISOs facing that takes them beyond the traditional CISO role?
The CISO has become an increasingly important figure over the last year, playing an essential role in helping to securely manage the transition to remote working while also contending with a progressively hostile threat landscape.
Most of the CISOs we spoke to also saw their responsibilities expanding into areas that were not traditionally covered by the role a few years ago. For example, more than half of the CISOs saw an increase in responsibility around regulation and privacy. In the wake of the GDPR and other similar regulations around the world, security and privacy compliance have become a high-level priority. CISOs have an important role in working with data protection officers (DPOs) to ensure that security processes are in place to safeguard any sensitive data covered by regulations.
2. Why is emotional intelligence important, what function does this have on being a good leader?
As a highly technical field that requires a great deal of specialized knowledge, a high IQ has long been prized in most security roles. However, emotional intelligence (emotional quotient, or EQ) has always been vital – and it’s increasingly so as security plays a more prominent part in the wider organization. Practitioners must be able to understand the needs of end-users, business decision-makers and external stakeholders, and communicate technical challenges and demands clearly to them.
This is particularly true for CISOs, who have an important role in bridging the gap between IT security practitioners and the wider business. Two-thirds of respondents in our survey said they had a clear understanding of the need for EQ skills to facilitate communicating, empathizing, and negotiating with others.
Good EQ is especially important for effective leadership. Leaders must be able to engage with their teams, build a relationship, and clearly communicate objectives and feedback. A leader with a high EQ will be more adept at managing their teams, instilling a sense of confidence and boosting morale. CISOs must also use their EQ skills to communicate up the chain, clearly relating security challenges and needs to the board of directors, representing the work and value of their team to the business at large.
3. How have CISOs’ roles changed over the last 18 months?
Between the security pressures of the pandemic, the increased volume of cyberattacks, and the increased prominence of data privacy, IT security is now more likely to be regarded as a key business department, rather than an obscure subset of IT. Accordingly, there is a greater need for CISOs to strike a balance between technical and business skills, leveraging IQ and EQ in equal measure.
This shift has led to multiple changes in the expectations and responsibilities of the CISO. Many told us that their role was now viewed less as an "internal security consultant" and more, "operational security officer". One new challenge emerging with this change in perspective is that peers within the organization may assume the CISO is familiar with the needs of every department in the business but will not necessarily have taken the time to understand the implications and challenges of cybersecurity in return.
As mentioned, data security and privacy regulations have also had a major influence on the CISO role over the last 18 months. The majority of CISOs told us they had seen a clear increase in their responsibilities relating to regulations and privacy over the last year. The huge potential cost of regulatory fines for non-compliance means that CISOs may be the ones in the hot seat in the event of serious security failings.
4. Does company achievement directly have an effect on your own need for more advanced business skills?
The further an organization travels on the path of digital transformation, the greater the pressure on the security team to effectively keep digital infrastructure protected. This means CISOs must get to grips with a fast-moving environment and ensure their security strategies are keeping pace. More than half told us they strongly believed in a need to improve their business skills.
Alongside planning and implementing security solutions and processes, CISOs also have an important responsibility in communicating them to the wider business. They will need to oversee engagement with the wider workforce about security risks and best practices for new digital infrastructure, as well as communicating risks and requirements to other executives and senior management. Accordingly, many CISOs told us they had spent a considerable amount of time studying the digital engagement strategies of their peers in order to emulate their success.
In addition, CISOs must also take the lead in communicating the impact of a security incident both internally and externally. This requires a combination of technical expertise, deep knowledge of business operations and strong communication skills.
5. How will CISOs’ roles evolve further in the future?
While CISOs have become ever more responsible for ensuring business success, it seems there is still more progress to be made in affording them the recognition deserved by such an important role. Many respondents told us that the CISO role is still seen as a middle management position, one that can be easily replaced or used as a scapegoat unless they can successfully position themselves as a valued adviser to the board.
We also found that many CISOs had been badly impacted by the pressures of the last year, with most indicating they had seen increased signs of stress and burnout. Many also believed that human resources and occupational health teams should be more engaged with CISOs and their teams.
Nevertheless, most CISOs seem to feel the role has improved over the last year. Nearly two-thirds told us they felt job security had improved and only around a third indicated they were considering moving from their current position or leaving the industry.
As digital operations continue to play an important role for most organizations, the role of the CISO will continue to shift and expand. Their unique mixture of business and technical perspectives will play an ever-greater part in areas like continuity planning and regulatory compliance alongside securing expanding digital footprints. EQ skills like communication, empathy and engagement will become more important for succeeding in this expanding role.
Tim Orchard, EVP Managed Detection and Response, F-Secure