It used to be a CISO had to know programming, network architecture, and how to read a vendor contract.
Now understanding the goals of senior executives is the key skill, IT managers have been told.
“If CISOs can learn one thing, it’s empathy,” Bil Harmer, chief evangelist and CISO at SecureAuth said during a panel Monday, on the first day of the CISO Forum Canada 2021 conference.
“Learn what the startup is thinking, what the CIO is thinking, what the finance guy is thinking, what the CEO is thinking. You want to know what they’re thinking and why they are thinking,” he said. “And then you can put their wants in your world.”
Harmer was a member of a panel asking whether the CISO today is a technical leader or compliance expert.
Panelists agreed the days of the CISO as strictly a technical leader are gone.
A CISO “is a business person,” said Daniel Pinsky, head of security governance and compliance at CDW Canada. “Most of my job on a daily basis is dealing with governance risk.”
Having a technical understanding is important, he added, but not as important as it once was.
Explaining to executives and the board the value the cyber team can bring to the organization’s strategy is what’s vital now, said Kush Sharma, former CISO of the City of Toronto, who now runs a boutique firm specializing in governance and digital transformation.
In fact, he said, in his last two positions he had to change the mindset of the IT teams he led. “One of my rules: we don’t say we are a technical team, we are a business team. Full stop. The bonus structure, the incentives, everything is tied to acting like a business.”
“It’s a business role,” agreed Harmer. But he added, don’t discount the importance of the ability to translate the technical to the business side. “That probably one of our key aspects — how do we talk to the business about what we’re doing.”
For some infosec leaders years ago “security was purity. It was a higher level, almost religious experience — ‘We’re going to have perfect security — and we became very closed. Now we have to open up and understand the business.”
“We have to compromise in what we deliver,” he admitted. “If it [security] is too expensive, it’s not good for the business. If it’s not usable people go around it.”
Risk and enabling business will always be at odds with each other, he added. “You’re always pushing the business. No one wants to spend more money building a product than they have to. Look at startups. Startups aren’t going to put money into security [in their products], simply because there is no product yet to deliver, no customer, no product stream. So why are they going to put it in? So how do you balance the risk? By building the hooks [in the product for security] on the premise that you will be successful.
“I tell startups if you’re not at least building the hooks and the fundamental basis for a good solid security program in your product, you’re telling investors you do not expect to succeed. That turns it around.”
The fight between minimizing security risk, meeting compliance obligations and helping the business is never-ending, said Pinsky. “My job is a facilitator.” The business wants to push a product or service out, but IT’s job is to remind others there are PCI, ISO or NIST requirements to be met. “Then it’s our job to pull in the right stakeholders from around the organization and ensure we maintain that — but at the same time allow the business to push itself forward … It’s a lot of educating different areas of the organization, helping them understand the business must keep moving forward but the other pieces are balanced.”
As for who the CISO should report to, there was no disagreement: Only to the CEO.
“When you report to a CIO there’s a massive conflict of interest,” Harmer argued, because the CISO reports on the gaps in the infrastructure — which the CIO designs. That criticism (or honesty) “will always affect you come compensation or bonus time. Even in your career path,” he said.
One last observation: Harmer noted that for some CIOs, designing an organization’s infrastructure has become easier as more applications move into the cloud. As a result, they’re changing careers.
They’re becoming CISOs.