Dan Roberts speaks to eight leading CISOs about the information security leadership talent gap, core skills required to succeed as a CISO, and more. This is the first of a two part series.
With cyber risks proliferating and threats growing more widespread, the role of cybersecurity leadership has become more vital to business than ever before. It has also become exponentially more complex. Cyber leaders have to balance securing the business and responding to attacks with enabling transformation and influencing other leaders as a partner in decision-making. In other words, this isn’t just a technical job; it’s a strategic one with a mission-critical agenda.
And yet, too many current and future cyber leaders haven’t been equipped to manage the rising expectations and competing demands of the role. A recent Lightcast survey shows that only 22% of cyber leaders have previous management experience. Put another way, nearly eight out of 10 cyber teams are being led by someone who has no prior management experience.
It’s an alarming statistic but one that Ron Banks, CISO, Managing Director at Texas Capital Bank, isn’t surprised to hear.
“Too often, cyber experts are promoted to leadership positions because of their technical prowess and not as a result of their managerial or leadership skills,” he says. “The consequence is that those CISOs lack the soft skills of building and leading teams, developing cyber strategy linked to the overall business goals, and being able to effectively communicate to the C-suite or board of directors to properly convey risks and value.”
Banks is one of a number of top-notch CISOs I recently spoke with about the state of cyber leadership. They shared their thoughts on the skills and mindset we should be cultivating among future-ready cyber leaders — and what is at stake if we don’t.
Skills That Differentiate High-Performing Cybersecurity Leaders
While cybersecurity leaders need to understand cybersecurity capabilities, digital risk management, and possess other domain expertise, none of the CISOs I spoke with highlighted these as the differentiating factors that elevate top performers. In fact, most didn’t mention them at all.
Instead, they talked about being able to create trusted, transparent relationships and influence people up and down the ladder. They emphasized the importance of business acumen, systems thinking, and a big picture perspective, as well as capabilities around team building, innovation, and change leadership.
In a field governed by ever-changing regulatory mandates and steeped in technical complexity, excellent communication skills are particularly important. To spearhead a strong security culture, cyber leaders have to be champions and ambassadors who can clearly explain what’s at stake and why it matters, and they have to build that capability within their teams as well.
Erica Wilson, Vice President, Global Security and Privacy Risk Management, Global Technology at RGA Reinsurance Company, says it’s about being able tell the story of an issue or opportunity and its risks so that it resonates with business colleagues.
“Great cyber professionals who rise as leaders often have the ability to communicate risks in a meaningful way across all levels within an organization. They also understand that while cybersecurity may be their area of focus, every decision should result in an outcome that provides purpose and value to the business.”
That perspective is crucial for getting support for cybersecurity priorities. Gary S. Chan, System VP & CISO of SSM Health Integrated Health Technologies, notes, “Leaders who cannot express how their team provides value in profit terms will always suffer when it comes to obtaining funding and buy-in at higher levels of the organization.”
None of this is easy, especially when it comes to the level of risk and stress cyber leaders must shoulder, day in and day out, and the breadth of their responsibility. Erika Carrara, CISO, Wabtec Corp., points out that, “Each person is finely tuned to receive the message given to them to be successful. A CFO can listen to the CEO’s vision for business growth and interpret that into actionable objectives. A COO does the same thing. But a CISO has to do that for every role, every line of business, through every part of the organization and reach people where they are on top of all that.”
While skills like relationship-building, influencing, leadership presence, and communication are often dubbed “soft skills,” a more accurate term is “core skills.” They’re foundational to cyber leadership success, and rarely do people just come to the job with them. They have to be developed, practiced, and nurtured.
With a huge talent gap and a monumental responsibility, how can companies accelerate this process of identifying and developing future-ready cyber leaders? Matt Modica, Vice President and CISO for BJC Healthcare, observes that most organizations have done a good job establishing training programs related to technical recertification and skills. However, “They don’t always recognize that leadership training is just as vital.”
In addition to those core skills, Brinks Global CISO Patrick Benoit reiterates the need for leaders to focus on broadening their knowledge of other business functions. “Adding more technical skills to your cybersecurity toolkit does not give much gain to your leadership ability,” he adds.
A Leadership Mindset
In combination with a business orientation, these core skills help the cybersecurity leader build a brand of trusted advisor versus reactive order taker. They also equip the cyber leader to show up with a business-first mindset, able to anticipate and adjust as necessary “without leaving a wake of disruption and dissatisfaction along the way,” as Modica puts it.
Benoit, who believes emotional intelligence is the big differentiator for leaders today, notes that this a departure from the old command-and-control model of leadership, and a necessary one for building a team that functions together to achieve common goals.
This mindset is even more important when you consider the diversity of skills and perspectives a CISO needs on their team to stay ahead of a continually evolving threat landscape. Andrew Wilder, former Vice President and Global CISO at Hillenbrand, refers to Abraham Lincoln’s strategic decision to assemble a “team of rivals” who would challenge him and contribute needed thinking and ideas.
“This is the key to a high-performing cybersecurity leadership team — the ability to break away from the norm, to question the way things have been done, to try new things and not fear failure,” he says. It’s up to the leader to create an environment that enables it.
Another key differentiator among high-performing cyber leaders is the ability to balance immediate issues and projects while monitoring the threat landscape and anticipating any potential concerns on the horizon. Cyber leaders can’t be heads-down, working in a vacuum. This, too, can require a significant mindset shift for an individual contributor moving into a leadership role.
“Cyber leaders must see themselves as business enablers, not doers,” says Moses Bulus, Group Chief Information Security Officer of Bunzl PLC. “They must work closely with the business to understand its needs and provide alternative solutions instead of saying “No” to everything. Cyber leaders with an open mindset and the ability to influence others in the business go a long way.”
Rethinking the Cybersecurity Leadership Talent Pipeline
According to (ISC)2‘s 2022 Cybersecurity Workforce Study, the global cybersecurity workforce gap increased 26.2% in just one year, leaving companies even more vulnerable to potential attacks and disruption. In the urgency to fill the pipeline, however, they may be putting people into roles they’re not necessarily suited for or aren’t equipped to succeed in.
One of the themes I heard over and over again can be summed up by Modica: “What got you here won’t get you there.”
While it’s common to promote people up the ranks based on their success as an individual contributor, the cyber leadership role requires much more than domain expertise. It also requires shifting your attention away from your own technical prowess and individual accomplishments to bringing out the best in your team.
“People leadership isn’t for everyone,” Modica notes. What’s more, assuming someone can step up seamlessly into leadership is a gamble. “Just because someone is the best technical resource in a group, they may not be — and probably won’t be — the best leader,” adds Wilder.
Again, the need to understand and “speak” the business is essential. With digital transformation initiatives embedding technology into nearly every aspect of business strategy, cyber leaders need to be involved on the front-end of these strategy conversations to mitigate potential risk. But they have to build their credibility to earn that seat at the table.
By Frank Wander
Developing Future-Ready Cybersecurity Leaders
The stakes are high, says Bulus. “If the number of cybersecurity leaders with management experience does not grow, the industry risks misalignment of cyber and business strategy.” And that can have major consequences from both a strategic and an enterprise risk perspective.
These points have been proven out by a recent Gartner survey which found that 88% of boards now view cyber as a business risk. This number has risen over time, reinforcing the point that a decade focused on investing in more tools and technology has not achieved the desired results.
The benefits to acting now are clear. As Banks, a founding member and advisory board chair of DallasCISO, notes, “With the development of the soft leadership skills mentioned above, effective cyber leaders will be better equipped to understand the business objectives and be integrated into business decision making so that cyber is a proactive design element rather than an afterthought.”
The challenges, and the opportunities, to accelerate cybersecurity upwards on the value curve don’t end there. Join us here again soon for part two as we unpack more of the complexities through the perspectives and experiences of these and other distinguished thought-leader CISOs.