These are turbulent times with the global pandemic impacting business. The threat landscape has also changed significantly. So, having good technical skills is not enough to be an effective security leader today.
Soft skills are now much sought after. Communication skills are invaluable. How effective is a CISO in communicating the potential impact of a security breach on the business, to the board? Team leadership, empathy, and patience are rare skills that will be in demand.
CISO MAG and the EC-Council University (ECCU) designed a survey to determine the state of preparedness of candidates for cybersecurity roles in the industry. The survey will include responses from academic partners, CISOs, and those responsible for hiring in organizations. Take Survey Now
Having business skills, understanding core business processes, and being able to juxtapose that with information security – will put the CISO in a different league.
And yes, technical skills will continue to be in demand, as the attack vectors are becoming increasingly sophisticated. So, security leaders will need to upgrade their skills and knowledge to keep up.
Brian Pereira, Editor-in-Chief, CISO MAG interacted with industry experts to understand the essential skills to be an effective business leader. Here’s what they have to say:
1Is security certification enough to be an effective CISO?
Organizations are beginning to realize that proven performance matters more than years in a particular role. The bias toward hiring CISOs based on their previously held CISO positions diminishes as a useful barometer of a successful CISO. A dirty little secret of CISO turnover is that CISOs do not necessarily churn jobs based on opportunity; they are managed out because of poor performance. Companies recognize CISOs must have security program architecture experience, executive persona, and serve as operational risk management visionary. I find companies today are increasingly looking for their next generation of information security managers to be certified CISO.
2What are the core technical skills in demand this year?
The Cybersecurity space is dynamic and continually evolving in the wake of the pandemic. This year, there has been a shift in the demand for specific technical skills across many cybersecurity tech platforms.
Some of these core skills include Application Development Security, which involves security Automation, SecDevOps, Predictive Analysis, and machine learning; others are cloud security, threat Hunting and Incidence Response, and finally, Data Security / Privacy. While it is pertinent to have a Risk-Based Management approach to the above, it is important to note that soft skills remain the same over the past five years. Although technical skills have been overwhelmingly emphasized, there is also a need to develop soft critical skills such as communication, reporting, and cost-benefit analysis.
3Why are communication skills so important?
The most in-demand skill for CISOs directly in 2021 will be the ability to communicate with the Board of Directors. We are in a turbulent moment in history, with the pandemic and geopolitical tensions playing out in real-time. Being able to communicate with the Board in clear, concise, relatable terms will be a differentiator for CISOs.
The skills CISOs will be looking for overall for the teams that report to them will fall into these areas in terms of technical skills.:
- Zero Trust Architecture skills – being able to architect, deploy, and operate a Zero Trust network.
- Application Security – especially for firms selling products and services to enterprises.
- CIAM (customer identity and access management) – with customer engagement models changing and becoming increasingly digital, practitioners with the skills in customer identity and access management will be at a premium this year.
Of course, communication skills, empathy, and patience are always in demand – and rare – which makes them constantly sought after but not always easily found for any leader or practitioner.
4What are the top three skills that CISOs need to have in 2021?
I would consider these as the top three needed skills for CISO’s in 2021:
A great communicator – having the ability to acquire information about the business and possible threats and opportunities from multiple sources and distill that information into direct business impact statements that leadership and business owners can understand — will be key to the organization’s success.
Focused on Collaboration – the CISO must exhibit a collaborative approach to securing the organization, the business must be the priority and the CISO must find creative ways to foster a secure environment based on the risk tolerance of the organization while ensuring the organization has operational functionality. Security for the sake of security is a failure on the part of a CISO — collaborative security and functional operability are where everyone is successful.
Have and maintain Technical acumen – The CISO must have demonstrated capability to understand the holistic computing environment and how the overall security protocols impact each of those environments while managing risk to and from the organization, the customer base, and the partners/suppliers within the parameters of the risk management program.
While there are many other skills needed in the toolkit, these three will position the effective CISO with becoming that business partner and organizational asset the leadership can depend on to manage risk for their overall success.
5As a CISO, what are the top skills you would be looking for when you recruit people?
People generally think cybersecurity is all about hacking into or breaking things, but actually, cybersecurity is all about learning how technology (and people) work. The key is not a technical background; they are value additions, but a willingness and desire to learn how the technology works is more important along with the zeal to never stop playing with tools and technology.
Cybersecurity skills do not focus on solving technical problems; they instead focus on human-focused problems such as misconfiguration, a programming error, etc. As a CISO, the skills I look up to which a candidate must possess are soft and technical. Soft skills such as understanding of privacy, security awareness, and training, knowledge of governance, security communications, or cyber law and ethics.
Technical skills such as Coding – Candidates must have a basic understanding of markup language. Systems – Must understand the administration of Linux and Windows systems through a command-line interface (CLI). Applications – Knowledge of configuration, running, and maintenance of common applications such as web servers, databases, and DNS servers and Networking – Knowledge of how the network works is invaluable. Years of practical experience depending on the profile to be added along with soft and technical skills.
6What are the security skills that will be in demand this year?
2020 made a lot of people much more tech and security savvy. The renewed focus has caused many people to consider changing careers and to look for new jobs in the IT security field. Hiring managers like myself will be focused on a few key skill sets in 2021. Cloud security skills and understanding the roles of the service vendor, the cloud provider, and the end customer will be a critical need for many companies this year. The single pane of glass security observation tools will continue to flourish and the skills of a SOC analyst to quickly read, understand, and respond to threats on that monitor will become sought after at all organizations even smaller offices without a robust SOC team or facility.
7As you interact with security leaders, what are the security skills they look for when hiring staff?
We have an extensive network of advisor CIOs and CISOs who are looking at two things:
- People with the right cybersecurity skillset. But that pool of talent is very small relative to the needs in the market. The best way to address that problem is using the latest cybersecurity platforms to automate as much vulnerability management on the secondary security alert and complement it with the scarce security analyst talent to identify and proactively fix the most critical high priority alerts in the enterprises.
- Long term, we need colleges and universities to focus on educating and graduating new security talent to help fill the void for small and large companies. Secondly, companies need to implement formal training programs to continue to educate and train their talented employees as the sector continues to evolve daily.