What cybersecurity skills do I need to become a CISO?

Microsoft

By Abba Kudrati, Chief Security Advisor

The role of a chief information security officer (CISO) is a goal all cybersecurity officials aim for. However, it emcompasses more than just cybersecurity operations. To succeed in this role, you need strong communication skills and a deep understanding of business.

I began my career as an IT System Administrator, and as I worked my way up to CISO, I've learned that the higher you go, the more you need to understand and work with the business. In this article, I'll share some tips on how you can excel.

Wearing many hats
The key to business success is leveraging technology and moving to the cloud, but this also increases opportunities for cyber threats. Today, a cyber incident has a tremendous impact on a business that could lead to data breaches or financial loss.

CISOs today need to play multiple roles from technologist and guardian to strategist and advisor. To excel in these roles, it's important to learn about the business, understand risk management, and improve your communication skills. Here's a quick look at what each role does:

Strategist: Drive business and cyber risk strategy alignment, innovate, and instigate transitional change to manage risk through valued investments.

Guardian: Protect business assets by understanding the threat landscape and managing the effectiveness of the cyber risk program.

Advisor: Integrate with the business to educate, advise, and influence activities with cyber risk implication.

Technologist: Assess and implement security technologies and standards to
build organizational capabilities.

How to be a good strategist and advisor
If you are looking to grow into a CISO role, do gain experience and certifications in a variety of areas like threat analysis, threat hunting, compliance, ethical hacking, and system auditing. But don't forget to find time to work on the following leadership skills too.

  • Understand the business: To step up to an executive-level role, start by thinking like a businessperson. Learn all you can about the business environment and where your company fits in. This will help when you need to make decisions about allocation of limited resources to protect company assets.
  • Learn risk management: Companies often take strategic risks to reach the top. But these decisions could expose the company to a potential cyberattack. As a CISO, you will need to help identify these risks that should be considered alongside financial and operational risks.
  • Improve your communication skills: As a CISO, you will be communicating with people with a variety of agendas and backgrounds. A communication plan can help refine your messages for your audience and better understand the goals of people you are talking to.

A good communication plan delivers targeted security messages:

  1. Manager meetings - Tactical plans, new policies, scheduled activities
  2. Steering committees - Strategic initiatives, policy approval
  3. Board meetings - Security posture, competitor comparison
  4. Management, newsletter, emails - Interim updates, issue reinforcement
  5. One-on-one sessions - Department issues, Testing for reality

The role of CISOs has expanded beyond security to the boardroom in recent years. To help you step into this important role, learn key skills like risk management and communication now.

Sustaining Partners