Being the founder and CEO of a virtual CISO firm, I get asked questions about professional development from time to time.
How do I advance my career in cybersecurity management?
How do we grow our ISO into a leader in our organization?
My immediate answer to both is: “Work on the soft skills.”
Don’t get me wrong, a Chief Information Security Officer needs to have a good technical foundation to facilitate risk management decisions in their organization. But for me, it’s the underestimated soft skills that make the difference between a good CISO and a great one.
The technical resources are in abundance, almost to a level of overload. They are tools that can help us, but it’s how we use those tools that make for a good CISO.
Information Security is a human problem, not a technical one. To be successful in this fight, we need to hone our skills in leadership, culture, and relationships.
So, in Friday 5 fashion, I'm going to outline the five soft skills that I think are the most important to either build your career in cybersecurity management or to help develop your in-house information security officer.
Every good CISO needs to be able to relate their thoughts, ideas, and decision-making processes to other people. This starts with delivering information in written text in a clear, concise way. To be effective, you need to get your point across quickly and efficiently in your emails and written reports.
This also includes good verbal communication. That means being able to collect your thoughts and communicate them in a clear, calm manner. This may be in day-to-day conversations, in debates in a committee meeting, or presentations to the board of directors.
Above all, in both cases, the ability to simplify complex ideas and concepts is vitally important. To be successful, you have to make the information relatable to all stakeholders in your organization.
All CISOs are going to have to have difficult conversations in their career (maybe even on a daily basis!). Just like any other skill, these conversations are a muscle that can be strengthened through practice and repetition.
The way in which a CISO delivers bad news disagrees with an idea, or calls someone out who’s not doing their job will affect their influence and level of respect in the organization.
A CISO that can't do these things well will either be the jerk that everyone avoids or the softy that always gets run over. Neither of those situations will lead to your success.
You need to learn to deliver information, both good and bad, with love and clarity.
I recommend these 2 books that can help with both:
Crucial Conversations https://www.amazon.com/Crucial-Conversations-Tools-Talking-Stakes/dp/1260474186/ref=sr_1_1?crid=2DC8EDPJ0C2UJ&keywords=crucial+conversations+book&qid=1694700243&sprefix=crucial+%2Caps%2C102&sr=8-1
To be a successful CISO, you must build trust. At Bedel Security, it’s often said that “we are in the trust business.” It’s that important.
For me, the best framework I’ve found to define trust comes from the Trust on Purpose Podcast (link below). They define the 4 quadrants of trust to be:
I recommend examining each of your key responsibilities and asking yourself for each quadrant: “Am I doing things to build or deplete trust in this area of my job?” It’s a great self-assessment and will lead to your better understanding of the components of trust, but more importantly, where you can improve.
If you are a new CISO, understand that the first 90 to 180 days of your time in your organization are vitally important to building trust. Everything you do and say will be under scrutiny during that period.
In my experience, if you fail to build trust in the first 90 days, it is very difficult to do so later. You must bring your best in each quadrant to be successful.
I recommend the Trust on Purpose Podcast, this episode describes the framework and is a great starting point: https://trustonpurpose.buzzsprout.com/1930011/10067148-the-framework
From there, the deep dive episodes on each quadrant are very helpful.
This may be the most difficult out of all the five areas to develop. But it is important for a CISO to be able to get things done for the good of the business.
Some things I recommend to get better at problem-solving are:
People want to work with problem solvers. If you can establish the reputation of being a problem solver, people will come to you when they're dealing with something difficult rather than avoid you and that's a great thing for a CISO. Solving problems also builds goodwill with the other business leaders in your organization.
To be successful as a CISO, you need to be involved in the business, and becoming a problem solver is a great way to do so.
It gets really easy for a CISO to live in the moment if you're stuck putting out fires all the time. If you are in that position, you need to take time to stop and look ahead.
The CISO cannot be reactionary. Good information security is proactive. If you can't create a vision and plan for 90 days, 1 year, and 3 years, you will always be reacting.
A component of strategy that's very important is understanding the business that you serve. What are their objectives and how do you align information security with those objectives?
When you can begin to help the organization grow, you’ll make cybersecurity a business enabler – the ultimate form of success for any CISO.
I hope you found this post helpful. If you're seeking advice in any of these areas, I am available to anyone for a 30-minute consultative call at no cost. Just email me at chris@bedelsecurity.com and I’ll send you my scheduling link.
Or if you are looking for a more formal coaching service designed to help individuals grow as a CISO, check out our CISO Mentor program.