Sunday, September 25, 2022
Home Tech News Empathy is now a key skill of a CISO, conference told

Empathy is now a key skill of a CISO, conference told

It used to be a CISO had to know programming, network architecture, and how to read a vendor contract.

Now understanding the goals of senior executives is the key skill, IT managers have been told.

“If CISOs can learn one thing, it’s empathy,” Bil Harmer, chief evangelist and CISO at SecureAuth said during a panel Monday, on the first day of the CISO Forum Canada 2021 conference.

“Learn what the startup is thinking, what the CIO is thinking, what the finance guy is thinking, what the CEO is thinking. You want to know what they’re thinking and why they are thinking,” he said. “And then you can put their wants in your world.”

Harmer was a member of a panel asking whether the CISO today is a technical leader or compliance expert.

Panelists agreed the days of the CISO as strictly a technical leader are gone.

A CISO “is a business person,” said Daniel Pinsky, head of security governance and compliance at CDW Canada. “Most of my job on a daily basis is dealing with governance risk.”

Having a technical understanding is important, he added, but not as important as it once was.

Explaining to executives and the board the value the cyber team can bring to the organization’s strategy is what’s vital now, said Kush Sharma, former CISO of the City of Toronto, who now runs a boutique firm specializing in governance and digital transformation.

In fact, he said, in his last two positions he had to change the mindset of the IT teams he led. “One of my rules: we don’t say we are a technical team, we are a business team. Full stop. The bonus structure, the incentives, everything is tied to acting like a business.”

“It’s a business role,” agreed Harmer. But he added, don’t discount the importance of the ability to translate the technical to the business side. “That probably one of our key aspects — how do we talk to the business about what we’re doing.”

For some infosec leaders years ago “security was purity. It was a higher level, almost religious experience — ‘We’re going to have perfect security — and we became very closed. Now we have to open up and understand the business.”

“We have to compromise in what we deliver,” he admitted. “If it [security] is too expensive, it’s not good for the business. If it’s not usable people go around it.”

Risk and enabling business will always be at odds with each other, he added. “You’re always pushing the business. No one wants to spend more money building a product than they have to. Look at startups. Startups aren’t going to put money into security [in their products], simply because there is no product yet to deliver, no customer, no product stream. So why are they going to put it in? So how do you balance the risk? By building the hooks [in the product for security] on the premise that you will be successful.

“I tell startups if you’re not at least building the hooks and the fundamental basis for a good solid security program in your product, you’re telling investors you do not expect to succeed. That turns it around.”

The fight between minimizing security risk, meeting compliance obligations and helping the business is never-ending, said Pinsky. “My job is a facilitator.” The business wants to push a product or service out, but IT’s job is to remind others there are PCI, ISO or NIST requirements to be met. “Then it’s our job to pull in the right stakeholders from around the organization and ensure we maintain that — but at the same time allow the business to push itself forward … It’s a lot of educating different areas of the organization, helping them understand the business must keep moving forward but the other pieces are balanced.”

As for who the CISO should report to, there was no disagreement: Only to the CEO.

“When you report to a CIO there’s a massive conflict of interest,” Harmer argued, because the CISO reports on the gaps in the infrastructure — which the CIO designs. That criticism (or honesty) “will always affect you come compensation or bonus time. Even in your career path,” he said.

One last observation: Harmer noted that for some CIOs, designing an organization’s infrastructure has become easier as more applications move into the cloud. As a result, they’re changing careers.

They’re becoming CISOs.

The CISO Fourm Canada continues this week.

- Advertisment -

Most Popular

Brock Boeser refocused on hockey as Vancouver Canucks kick off training camp

Brock Boeser believes this is his year. The Vancouver Canucks right-winger struggled at times last season while dealing with the declining health of his father,...

From 3D glasses to her first broadcast, Queen Elizabeth and technology throughout the years

It’s been 96 years of innovation (Picture: Getty Images/PA)From 3D speeches and Paddington Bear sketches to her first tweet and passion for photography, here’s...

T-Mobile adds domestic United flights to its free in-flight Wi-Fi roster

/ United joins Alaska and Delta on T-Mobile’s list of airlines with in-flight Wi-Fi included in Magenta and Magenta Max planT-Mobile continues adding...

Shattered Dreams and Bills in the Millions: Losing a Baby in America

The day after his 8-month-old baby died, Kingsley Raspe opened the mail and found he had been sent to collections for her care. That notice...