< Back to listing

Posted 16 décembre 2019

By enabling organizations and information systems to be more agile and connected, digital transformation has also made them more vulnerable. To address key security issues and increasing risks, the role of Chief Information Security Officer (CISO) has changed significantly in recent years.

Formerly responsible for ensuring their organization’s certifications (ISO 27001, etc.), CISOs must now wear multiple hats and have both varied and specialized skills to protect their organization. They implement protections against cyber-threats and means to control their impact (reduce vulnerabilities, resolve compliance issues…). They are also responsible for budgets, and are advising, training and reporting issues to senior management and their employees, to apply best practices and reduce risky behaviors.

This evolution forces many challenges upon CISOs, for whom new skills become key: business acumen, communication and presentation, crisis management and leadership.

 

What are the evolutions CISOs should expect in the next years?

CISOs are today the experts who, according to ANSSI, define information system security policies and ensure their application. They play a role in advising, assisting, informing, training and alerting senior management. Depending on the size of their organization, they play an operational role in the implementation of security policies, or supervise a team of technical experts and consultants. They recommend the IS security policy to the competent authority and ensures it is applied. They can take actions in regards to security on all or part of their organization’s IT and telecom systems, both at the technical and organizational level. They perform technological and regulatory monitoring work in their field and recommend the changes they deem necessary to guarantee IS security as a whole. They are the recognized interface for operators and project managers, as well as experts and stakeholders.

Increasingly, it is essential for CISOs to focus on humans instead of technology. Indeed, what is the point of setting up security products if users misuse them, or even do not use them at all? CISOs must regularly meet business units and users of their IS to understand issues and not be seen as an obstacle to productivity, but as a partner.

Digital transformation and increase in cyberattacks is changing the priorities of organizations and CISOs. CISOs are now a strategic element of management teams. This is one of the strongest transformations for CISOs. They become a stakeholder in their organization’s strategy and must, as such, be able to participate in the decisions and anticipate all events.

 

What are the qualities required to meet these new business challenges?

Although technical qualities remain paramount for CISOs, they are no longer sufficient to meet the variety of skills required. Stéphane Renaud, CIO of Vivendi, declares: “The first quality of a good CISO is that he or she must be a very good communicator.”

 

These are the qualities that allow CISOs to excel:

 

  • Technical skills

First, it is indisputable that CISOs must have technical skills and the ability to improve their knowledge in this ever-changing industry. In addition, they may have an operational role in the implementation of security policies in relation to business needs. 

 

  • Managerial skills

They must also be qualified managers and good listeners, as they usually supervise a team of technical experts and consultants. These qualities are all the more important as the list of missions grows longer. They must be able to delegate efficiently and confidently some of their tasks.

 

  • Financial skills

For CISOs, financial management has become an essential skill when faced with limited budgets. Osterman Research’s Life inside the Perimeter – Understanding the Modern CISO survey for Nominet reveals than less than one out of two CISOs (43%) consider they have an appropriate budget. Whether for intellectual, technical or security services, CISOs must be able to monitor and streamline security investments.

 

  • Leadership skills

Knowing how to communicate is essential for CISOs. They are spokespersons for common rules in terms of security with all stakeholders: directors, managers, business associates and IT professionals. While CISOs advocate new tools and uses, they must also be able to ensure their adoption, and support employees along these changes. This complex mission requires good leadership.

 

  • Legal skills

The regulatory framework around information system security is tightening. CISOs must be able to speak the same language as lawyers.

 

  • Crisis management skills

Crisis management today is an inherent part of their role. CISOs are exposed in the media and politically in case of incidents, and must be able to take the right decisions and communicate the right messages along with CIOs.

 

  • Collaborative skills

Finally, it is unthinkable for CISOs to work alone behind their desk. They must create a link with all of the employees, and in particular with business teams who will share their challenges. They must also work hand in hand with CIOs who drive information system developments and rely on CISOs to ensure their security.

 

Their best allies to overcome these new and multiple challenges are undoubtedly the CIOs: They form a duo that will benefit from working together, by leveraging their complementarities.

 

9