The top five skills of a CISO
11:30 Wednesday, 11 August 2021
UK Cyber Security Council
What skills does one need to work in cyber security? How long is a piece of string? It’s tempting to suggest that if one asks half a dozen different people, there will be half a dozen different answers. But is that in fact the case? We compared ten different articles that focus on the skills a CISO needs.
With regard to technical expertise, four of ten chose not to say it was necessary and instead focused on the soft skills elements. The majority (six) that did cite it as necessary, however, were generally very blunt – saying, for example: “effective CISOs … do need to have a strong understanding of the information technology systems they are protecting and the tools they are using to protect them”.
The closest to unanimity among CISO skills was communication – and in fact those that didn’t specify the “c” word specifically still alluded to it with phrases like “executive presence” and “ability to influence the Board”. Communication is firmly on the CISO skills list, therefore.
Strategy and an understanding of the business mission also scored well. One list cited “knowledge and understanding of the business and its mission” specifically, while others used words like “align plans with core objectives” and “align [the] business mission with security objectives”.
Leadership was listed specifically in four of the ten lists, with “supervisory” skills in one more and “planning and strategic management’ in another. The rough concept is clearly considered important in some guise, therefore.
The final item that leapt from the page in six of the ten lists was the ability to learn and continuously develop one’s skills. As one list put it: “[CISOs] must be dedicated to their own education and self-development”.
The other skills that received fewer mentions? “Political skills” was an interesting one, though the detail talks in a slightly more diplomatic way as: “understand[ing] the needs and concerns of the executive team … and then present the information security program as a response to these needs”. Then we had “having a mind for metrics”, problem-solving skills, inter-departmental co-ordination, attention to detail, ambition, empathy and ethics.
The core five top skills were largely unsurprising, though: begin with a level of technical knowledge, be a tremendous communicator, be an effective leader, and make sure you understand the business so you can apply your security approach to it. And finally, keep your knowledge up to date to remain effective.
Appendix: the ten lists