What Makes a Successful CISO?
Every CISO has a unique path to getting the role. But once you're there, what does it take to be effective?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and guest co-host Christina S. , CIO, KIK Consumer Products . Joining us is our guest, Tomer Gershoni , now former CSO, Zoominfo.?
Moving beyond technology
A CISO obviously needs a level of technical understanding to be effective in their role. But that technical background shouldn’t define them. "The CISO has transformed from being a senior technology role to a senior organizational leadership team member. They need to be able to connect threats with real business outcomes and effectively communicate this information to a wide variety of stakeholders," said Al Berg of Tassat . If CISOs want a voice in company strategy, they can’t be pigeonholed as a purely technical role. Vishal Chawla of BluOcean Cyber laid out how this can get CISOs a seat at the table, saying, "Many security leaders are often boxed into their roles as technologists and defenders. However, I've seen a recent shift where a few are enhancing their strategist and collaborator muscles, and those individuals are finding a place at the strategy table with C-Execs."
The art of a CISO
While cybersecurity is often defined by its technical controls and rigorous processes, the CISO role goes beyond that. Connecting security risks to the business isn’t a formula and requires a human touch. "CISOs need to take a function which is not well understood and make it valuable to the CEO. It's an art, and you must tailor your approach and priorities to the needs of an individual business," said Raymond Cheng of Decrypt Compliance . As Aysha Khan of Treasure Data pointed out, a CISO is in the business of relationship management as much as anything else, saying, "CISOs are responsible for monitoring and identifying potential risks within an organization. Then they need to articulate these risks to all stakeholders and build trusted relationships to align everyone on strategic security priorities that can help achieve business objectives."
CISOs always operate in context
While CISOs can look to general best practices, a truly effective CISO needs to understand not just their organization, but the norms of the industry they operate in. "Each organization and each industry are different and unique in many respects. Unless you understand what the business does or wants, you can never be effective," said Aditya Sarangapani of WNS . For Nick Reva of Snap Inc. , when this context is paired with an excellent communicator, you’ll have a highly effective CISO, saying “What it really takes is a deep contextual understanding of the industry you are a CISO in, the norms of the company and hyper-effective leadership skills and very effective prioritization and communication."
Elevating the CISO conversation
Some people bristle when told a CISO can’t solely focus on tech tools. This isn’t because these tools aren’t important. But a CISO needs to select, deploy, and manage them in the wider context of the business. "The idea that one has to shift from focusing on tech tools and outputs has caused a lot of reactions. To elevate beyond tech tools, a CISO needs to have great leaders on your team selecting and managing those tools," said Jamie Walsh of Archer Integrated Risk Management . Selecting tools without a wider business context is almost impossible to do effectively. "A CISO needs to focus on resource allocation and prioritization decisions. However, to define priorities, they need to be able to link all this information into the business ‘so what’ question. This requires an understanding of what the most problematic risk events and their business impacts are," said Peter Geday ManageXValue.com .?
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. Thanks to SeeMetrics .
Huge thanks to our sponsor, SeeMetrics
Subscribe to Defense in Depth podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.
Join us TOMORROW, Friday [06-14-24], for "Hacking the Conversation Around Risk"
Join us Friday, June 14, 2024, for?“Hacking the Conversation about Risk: An hour of critical thinking about how to elevate communication with the business.”
It all begins at 1 PM ET/10 AM PT on Friday, June 14, 2024?with guests Neatsun Ziv, co-founder and CEO, OX Security and? Taher Elgamal , partner, Evolution Equity Partners .?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup which will be happening on Discord. So if you don't already have a Discord account, get one before Friday.
Thanks to our Super Cyber Friday sponsor, OX Security
领英推荐
Where Can We Win Against Ransomware with Halcyon
The current state of ransomware is alarming. It has evolved into a highly lucrative criminal enterprise with minimal risk. This follows the overall ransomware shift towards monetary gain through sophisticated SaaS-style offerings, with ease of deploying ransomware without technical expertise. In response to these pressures organizations need targeted solutions, argues Ben Carr , advisory CISO, Halcyon . Today the most cutting-edge solutions prevent ransomware attacks and offer a chance to decrypt affected systems.
Huge thanks to our sponsor, Halcyon
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter?Richard Stroffolino.?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Ty Sbano, CISO, Vercel. Thanks to Vanta.
Thanks to our Cyber Security Headlines?sponsor, Vanta
Jump in on these conversations
"What's the job market looking like for remote Cyber jobs?" (More here)
"Why Isn't Post-Quantum Encryption More Widely Adopted Yet?"?(More here)
"How do you predict entry cybersecurity jobs in the future?"?(More here)
Coming up in the weeks ahead?on?Super Cyber Friday?we have:
?Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
Cybersecurity Strategist & CEO @ BluOcean
5 个月Thank you David Spark for including mine and BluOcean Cyber research in the article. In my view, its time that CEOs should be actively involved in interviewing CISOs to ensure they are hiring candidates who possess both leadership qualities and technical expertise. This would significantly enhance ownership of cybersecurity and provide greater support for the CISO role. The SEC rule has provided CISOs with an opportunity to move to the executive table and be a partner with CEO and management. CISOs need to seize it! It's time for this paradigm shift for the good of businesses our communities and our national security!
CEO & Co-founder at Kovrr | Cyber Risk Quantification
5 个月Yes! Effective cyber risk managment is contextual! And finding a way to contextualize those risks (i.e., prioritize them) is one of the biggest challenges a CISO faces, especially because it requires outside communication with other key stakeholders who may not understand the inherent importance or value cyber brings to the table. Ultimately, it's all about finding a way to speak to these executives in a language they understand, one that resonates. Great listen.
Thank you David Spark for such a great session. So many great moments and quotes to choose from. Looking forward to the next episodes!
SOC 2 & ISO 27001 audits | Founder & CEO @ Decrypt Compliance
5 个月David Spark Appreciate you including my views on the art of the CISO role. A CISO needs to be able to ?? "read the room" of their executive team to understand how they can best promote security within the context of that company's culture and expectations in order to deliver value to the CEO. To be successful, you need emotional intelligence as much as you need technical acumen.
David Spark, thank you and your team for this great piece! I’m humbled to have been included