The message in recent years to chief information security officers (CISO) and chief security officers (CSO) is that, “it’s not enough to be a geek.”
What is still to be determined is whether a training program – even a good training program – is all it will take to make them more than geeks.
Clearly, there is a perceived need. While CISOs in many organizations are part of the so-called C-suite, surveys show they are generally held in low regard by their C-level colleagues, who think their skill set is too narrow, that they are unable to “speak the language of business,” and are most useful as a scapegoat in the event of a data breach, not as a strategic participant in business decisions.
A survey conducted by ThreatTrack about a year ago found that 74 percent of the 203 C-level executives surveyed thought CISOs didn’t even deserve a seat in the executive boardroom.
Things apparently have not improved much since then. ThreatTrack, in a follow-up report this past June said that while CISOs had made some progress, they still had a long way to go, with other C-level executives expressing, “serious doubts about their CISO's leadership abilities and understanding of business objectives outside security.”
Some things have changed, however: There is a greater awareness of the problem, and a number of vendors are offering to help fix it.
More than a year ago, the 2014 RSA conference offered a half-day session, “discussing the many aspects of business that affect CISOs, from audits to understanding employee behavior and dealing with boards of directors.”
In June 2014, Deloitte Cyber Risk Services launched what it calls an, “immersive CISO Transformation Lab,” designed to elevate CISOs from simply, “technologists and data guardians into business-minded advisers and strategists.”
And Yuri Sagalov, CEO and cofounder of AreoFS, says he has helped a number of CISOs and CSOs prepare for what he calls “question overload” in the corporate boardroom.
But is training, even if it is “immersive,” enough to transform techies, or geeks, into business leaders? A cover story this past June in Time magazine titled “How high is your XQ,” suggests it may be more complicated than simply absorbing some new information or developing a skillset.
Time reported that an increasing number of employers are using personality tests to screen applicants, in the belief that raw qualifications are not enough – that people also need to be a good “fit” for a job, in areas like temperament, personality and aptitudes.
But several IT experts say that while it will take some effort, CISOs can indeed adapt to functioning well as business leaders.
Sagalov said with the right training and mentoring, “many in IT could move into upper level management.”
And he said personality tests are not foolproof. “Studies have shown that they lack the reliability to predict employee performance, and may even be illegal when used to screen applicants,” he said.
James Christiansen, vice president of information risk management in Optiv’s Office of the CISO, said he is an example of that transformation, with titles like past CISO for General Motors and senior vice president and division head of information security for Visa International on his resume.
He began as a techie and recalled, “digging through a multi-thousand-line hexadecimal printout of an MVS system,” to find the cause of a system failure.
“Years later I am leading thousands of people worldwide and even was founder of a new company,” he said. “The fact that I started in IT as a super techie did not limit my growth.”
But, he admits he had to, “retool myself by gaining management skills, presentation skills and even dressing for the part.”
Michael Wyatt, director, Deloitte Advisory, Cyber Risk Services, said while it is not possible to transform people from one personality type to another, “we have had very good success in raising the awareness of the need to ‘flex’ communication styles.”
Wyatt said the Deloitte lab focuses on what he called the “four faces of the CISO,” which are that of strategist, adviser, guardian and technologist.
He said most CISOs focus on the guardian and technologist roles, since those are the most familiar. But he said the majority of them can grow into the roles of strategist and adviser, through the development of “critical communication skills” – yet another reference to the need of CISOs to be able to “speak the language of business.”
John Lyons, president of ThreatTrack, also believes many CISOs, “have the chops to be strong strategic business advisers.”
But, given the findings of his firm’s survey, he agreed it is a challenge for CISOs to adapt to the boardroom, in large measure because, “cybersecurity, as a separate discipline distinct from IT, is still a relatively new development.”
That is also the view of Chris Wysopal, cofounder and CTO of Veracode, who said that while people can change and adapt, “it isn’t always easy,” in part because, “the role of the CISO is still fairly new, so much of what makes a good CISO is still being defined.
“If you look at other C-suite roles – CEO, CFO, CMO – these have been established for decades, creating defined paths to success. The CISO has been around for roughly 10 to 15 years, but it didn’t come to prominence until the last few years, and then as a technical role.”
And technical skills, he added, while key to the “functional” success of a CISO, “do not lend themselves well to the business acumen and communication skills needed to work with your typical C-suite today. The main shift needed is towards thinking in terms of risk, not technology, and how this risk relates to various aspects of the business.”
Christiansen agrees, to the point that he said the job is getting a different title. “The role of the CISO is evolving to the chief information risk officer (CIRO),” he said. “The CIRO has a much broader and impactful responsibility than the CISO of the past and is a true member of the C-Suite.”
That evolution, experts agree, should also help reduce or even eliminate the perception of the CISO as a technocrat who enforces rigid security policies that other C-level executives view as barriers to progress and productivity.
According to Lyons, CISOs should use successful CIOs as models. “They need to learn how CIOs have made technology a strategic component of every aspect of business today and apply that to cybersecurity,” he said. “CISOs can’t just live in the SOC. They need to understand the entire enterprise and the flow of information across their organization.
[ ALSO ON CSO: Why the board of directors will go off on security in 2015 ]
Christiansen said some of it comes down simply to, “understanding the culture of the company for which they work,” such as whether it is “risk averse” or willing to take risks, and also to learning what are the CEOs top objectives for the year.
“Successful CISOs are able to relate each project they do to a business initiative and openly discuss how their security program contributes to revenue and the bottom line of the company,” he said.
Wysopal said while training is mandatory, “it will ultimately come down to the effort CISOs are willing to make to adapt to new environments. There will be those who ‘wash out’ for sure, and that’s a natural aspect of this sort of role evolution.”
But he added that, “the transition shouldn’t be solely on the CISOs shoulders,” given how crucial an effective security program is to any enterprise. “The C-suite already has a wealth of ability in the skillsets needed by the CISO, and they should be helping that person learn the ropes,” he said.
“An effective CISO is a powerful addition to the leadership of any company, and it’s in the best interest of everyone to foster growth that leads to this.”
That transition is expected to take some time, however. “The stereotype of security staff focused on securing the data rather than enabling the business, like any stereotype is hard to shake,” Christiansen said.