The role of the chief information security officer (CISO) is highly dynamic and presents great challenges for those that serve in the role. As presented in this recent report, here are ten critical success factors that a CISO must exhibit in order to be successful.

 

1. Communication and Presentation Skills

When working with executive leadership, it is critically important to frame the conversation in terms that the executive cares about. In this case, express the information security concepts in business terms so that they resonate with the executive. When speaking with a peer team member, speak technically and focus on the specific technical controls that needs to be in place to protect the organization. When working with an employee, turn information security into something that is relevant to their role.

 

2. Policy Development and Administration

When developing policies, remember that policy must be implemented to be useful. The CISO must ensure that policy:

  • Meets mission strategic and tactical goals.
  • Is promulgated throughout the organization.
  • Is implementable by the organization.
  • Works to positively secure the environment.
  • Meets legal and regulatory requirements.

 

3. Political Skills

Being able to interact effectively within the organization is critical to the success of the enterprise information security program.The CISO should understand the needs and concerns of the executive team as they relate to the mission of the organization and then present the information security program as a response to these needs.

 

4. Knowledge and Understanding of the Business and its Mission

The CISO must work with mission leaders, ensuring that new security projects have value that will contribute to improved organizational resiliency and productivity. The CISO should seek out mission leaders to champion new security projects and support ongoing security activities. In doing so, the project becomes a mission activity rather than a security activity, and the organization’s senior leadership is invested in supporting security changes that will support the organization’s success.

 

5. Collaboration and Conflict Management

The CISO must collaborate with members of the organization’s mission team, technologists, and end-users. When collaborating with the mission team, the CISO works with to solve issues that affect the successful operation of the organization. When working with technologists, the CISO must ensure that security requirements are well explained, and that effective guidance is provided. When working with end users, it is important to develop training that drives the adoption of information security practices.

 

6. Planning and Strategic Management

How should CISOs engage their organizations to achieve strong support for the information security program?

  • Work with the organization’s executive leadership team to ensure that information security planning activities support the organization’s strategic plan and desired risk posture.
  • Understand all the technology projects that are underway and planned throughout the organization. This way, the information security program can work to fully integrate into each project’s system development life cycle.
  • Plan for the changes in the information security technology industry and continuously manage the overall information security program.

 

7. Supervisory Skills

A team of effective information security professionals is needed for any robust information security program. It is not just one person — the CISO — but a team that works well together.

Mentoring, and mentoring well, is critical in the cybersecurity field. Working with the team to develop their skills leads to a much more engaged team, resulting in a more effective and knowledgeable information security program.

 

8. Incident Management

Establishing an incident response program that can detect intrusions on the network and immediately work to recover from those intrusions is critical.

The several stages of an effective incident management plan include:

  • Preparation: Establishing and executing a well-thought-out and effective incident response program.
  • Identification: Discovering intrusion.
  • Detection: Detecting the presence of a malicious actor.
  • Analysis: Validating the presence of a malicious actor.
  • Remediation: Eradicating the intrusion.
  • Containment: Ensuring any new information systems cannot be infected.
  • Recovery: Eradicating the infection from the information system.
  • Mitigation: Ensuring that the information system is configured so that it can no longer be exploited.
  • Post-incident activity: Evaluating lessons learned and continuous improvement.

 

9. Knowledge of Regulations, Standards, and Compliance

The CISO must be an authority in regulation, standards, and compliance requirements. This knowledge is important so that the CISO can tailor their expertise to meet the specific needs of their organization, leading to the development of compliant information security policies, processes, procedures, standards, and guidance.

 

10. Risk Assessment and Management

Risk assessment and management establish key processes used for communication between the organization’s executive leadership and the CISO.

Risk ownership is always a C-Suite/board Level/executive leadership issue, so establishing a business-level line of communication between executive leadership and the information security program is vital to establishing a risk management program. The risk management program must always be aligned with the business to be effective.

While the cybersecurity and technology fields are highly dynamic, the critical success factors discussed above are timeless. These skills are necessary to effectively lead the integration of technology with the business and mission of the organization and to align the security program with the needs, targets, and priorities of the people within.

Click to read the full report.

 
Darren Death, Forbes Technology Council, is chief information security officer (CISO) for Arctic Slope Regional Corporation (ASRC), responsible for the ASRC Enterprise Information Security program. He has 20+ years of experience leading organizational change in the government and private sectors. His professional passion is to ensure that IT organizations focus on providing solutions that provide value to their businesses and missions.

LOCATION

Forbes Councils
745 Atlantic Avenue
Boston, MA 02110

LOCATION

Forbes Councils
745 Atlantic Avenue
Boston, MA 02110

© CommunityCo, Inc. All rights reserved. | Terms & Conditions and Privacy Policy | CommunityCo™, YEC®, and the other denoted terms Read More and the related trade dress are a non-exclusive list of the trademarks of CommunityCo, Inc. in the U.S. and/or other countries. CommunityCo’s trademarks and trade dress may not be used in connection with any product or service that is not CommunityCo’s, in any manner that is likely to cause confusion among customers, or any manner that disparages CommunityCo, Inc. This site contains the trademarks, service marks, and logos of third parties and such trademarks and service marks are the property of their respective owners and not owned by CommunityCo, Inc. Such third party trademark owners may or may not be affiliated with, connected to, or sponsored by CommunityCo, Inc. These third party marks include but are not limited to Forbes®, which is a registered trademark of and the property of Forbes Media, LLC, and Forbes CommunityVoice™ which enables professional fee-based membership groups including Forbes Councils to create content on the Forbes digital publishing platform. Each topic-based CommunityVoice™ is produced and managed by Forbes Councils.