Why CISOs need to understand the business
While CISOs need technical skills, business skills help them push their team’s agenda and get the support and funding they need to protect their company.
By Isabella Harford, TechTarget
When you hear the title CISO, you think of the person in charge of an organization’s cyber and data security strategy. A key component of the CISO’s role is keeping an organization afloat. A data breach without the necessary guardrails in place, for example, could cause an organization to crumble under the weight of financial and reputational damages without proper planning by the CISO.
Many CISOs, however, struggle to garner support from colleagues, board members and C-level professionals.
“If you’re a nerd who can’t talk business, they’re not going to take you seriously,” said Erdal Ozkaya, author of Cybersecurity Leadership Demystified.
In his book, Ozkaya offers tips to CISOs on how to balance the technical and business sides of the CISO role, as well as advice on how to communicate about cybersecurity on a senior and operational level. Guidance on building a successful security team, implementing effective security operation practices, working with HR and creating an incident response plan are also covered.
Here, Ozkaya — author of 16 infosec and cybersecurity books — discusses the importance of CISOs understanding business strategies and explains why CISOs need to build relationships with other departments to be successful.
Editor’s note: This text was edited for length and clarity.
Who should read your book?
Erdal Ozkaya: The book will benefit people trying to become CISOs and recent newcomers to the role. When I was a security advisor at Microsoft, I met many CISOs who didn’t come from the cybersecurity field. They were looking for advice, but there wasn’t a single book to explain everything they needed to know. That’s what I tried to do in Cybersecurity Leadership Demystified.In the book, you wrote, ‘The security team will need to partner up with other departments within the company to ensure that the CISO … understands all the aspects of the business.’ Why is this step so important?
Ozkaya: I’ll answer two ways: for people who come from the industry and for people who don’t.
People who come from the industry are usually nerds, computer gurus or geeks. They like to program, conduct penetration tests and minimize communication as much as possible. In a C-level position, however, you have to sit down and talk about security with people who don’t understand technology. Today’s CISOs must understand business and technology.It’s similar for people who come from outside the industry. If you look through LinkedIn, you’ll be surprised at how many CISOs previously worked in marketing or product management roles. While these individuals might have business experience, they still need to understand the technology. CISOs must understand the core values of cybersecurity so they can build the right defense mechanisms.
Which departments and teams should CISOs prioritize partnering with?
Ozkaya: CISOs should work with all departments, but not all departments are equal when it comes to cybersecurity. The cleaning department, for example, can’t help clean computer viruses. That requires help from the incident response team.
It’s not about if, but when you’re going to get hacked. Prepare so you can get your business back online as soon as possible.
First, work with the incident response team.
Second, have a security operations team that can keep an eye on the network.
Third, have a red and blue team. These internal ethical hackers help find vulnerabilities.
The only difference between the red team and hackers is that the red team will metaphorically break into your house, open your safe and leave a Post-it note saying, ‘I used this technique to get into your house, but luckily, I’m a friend, and I just wanted to showcase how easy it is to steal your jewelry.’
What skills do CISOs need beyond technical knowledge?
Ozkaya: CISOs need soft skills and strong business skills. They need to be able to explain exactly what they need. Executives don’t care how many viruses you have, but will care if sensitive company details are leaked. CISOs need to use metrics board members and C-level colleagues understand.
It’s like asking a bank for a mortgage. The bank will ask several questions: ‘How much do you need? Can you pay the loan back? What is the ROI?’ The same thing applies for boards. They’ll say, ‘OK, you want $2 million, but why?’ CISOs need to know how to market their strategy because board members will only award the budget if they understand the benefits.
How has the CISO role changed in recent years?
Ozkaya: It has changed a lot. With more attacks, there’s more on the line for CISOs. Imagine you’re about to put money into a bank when you find out the bank just had a huge data breach. Are you going to choose that bank now? Probably not.
The first thing that happens after a cyber attack — if it’s a publicly traded company — is its share prices drop. Would you like to lose the trust of your shareholders, customers and employees? SolarWinds is a famous example. Leaders must work with cybersecurity professionals to maintain trust. This doesn’t mean your organization won’t get hacked. But, if you implement the right strategies to protect your core data, who cares if you have a cyber incident?
This was last published in March 2022 at TechTarget.com
More about Cybersecurity Leadership Demystified”
Cybersecurity Leadership Demystified
It is with the utmost excitement that I finally announce the availability of my new book “Cybersecurity Leadership Demystified ” You can get a copy now at Amazon, Packt and many other book retailers :
I am thankful to Melih Abdulhayoglu (Founder of Comodo Cybersecurity )who wrote the foreword of the book and also thankful to all the experts who has contributed in the ask the expert bonus chapter. Thank you Marcus, Timothy C. Adel , Mert , Mike, Paula, Dr. Suleyman, Vladimir, Raif, Raymond and Sukru,
Regards
Dr Erdal Ozkaya.
About Cybersecurity Leadership Demystified
A comprehensive guide to becoming a world-class modern cybersecurity leader and global CISO
Key Features:
- Discover tips and expert advice from the leading CISO and author of many cybersecurity books
- Become well-versed with a CISO’s day-to-day responsibilities and learn how to perform them with ease
- Understand real-world challenges faced by a CISO and find out the best way to solve them
Book Description:
The chief information security officer (CISO) is responsible for an organization’s information and data security. The CISO’s role is challenging as it demands a solid technical foundation as well as effective communication skills. This book is for busy cybersecurity leaders and executives looking to gain deep insights into the domains important for becoming a competent cybersecurity leader.
The book begins by introducing you to the CISO’s role, where you’ll learn key definitions, explore the responsibilities involved, and understand how you can become an efficient CISO. You’ll then be taken through end-to-end security operations and compliance standards to help you get to grips with the security landscape.
In order to be a good leader, you’ll need a good team. This book guides you in building your dream team by familiarizing you with HR management, documentation, and stakeholder onboarding. Despite taking all that care, you might still fall prey to cyber attacks; this book will show you how to quickly respond to an incident to help your organization minimize losses, decrease vulnerabilities, and rebuild services and processes. Finally, you’ll explore other key CISO skills that’ll help you communicate at both senior and operational levels.
By the end of this book, you’ll have gained a complete understanding of the CISO’s role and be ready to advance your career.
What You Will Learn:
- Understand the key requirements to become a successful CISO
- Explore the cybersecurity landscape and get to grips with end-to-end security operations
- Assimilate compliance standards, governance, and security frameworks
- Find out how to hire the right talent and manage hiring procedures and budget
- Document the approaches and processes for HR, compliance, and related domains
- Familiarize yourself with incident response, disaster recovery, and business continuity
- Get the hang of tasks and skills other than hardcore security operations
Who this book is for:
This book is for aspiring as well as existing CISOs. This book will also help cybersecurity leaders and security professionals understand leadership in this domain and motivate them to become leaders. A clear understanding of cybersecurity posture and a few years of experience as a cybersecurity professional will help you to get the most out of this book.
To order from Amazon click here :
To read more about the book:
TechTarget CISO Erdal
