Risk management as the essential skill for a CISO

A CISO has to spend a lot of time interacting with the business and also needs a team of professionals who can perform highly specialized technical tasks.

Last year, looking at feedback from my colleagues on the industry’s focus and issues, I had mixed feelings. A year later, it turns out the results of our new survey (available below) are even more interesting.

The very first impression you get as you look at the results of these two studies is this: Information security in general, and the role of CISO in particular, are becoming more and more important for business — at least, according to roughly 300 of my infosec peers. Definitely a good sign. So is the fact that more and more respondents have listed “risk management” and other business skills among the essential ones for their role.

There is one point on which I cannot agree with many of my colleagues, however. Some still say technical competencies and intimate knowledge of corporate IT systems are the key skills for both their work and their further development. It seems to me that even though technical knowledge is the basic requirement for a CISO — and even though CISOs do need to be conversant with new technologies —the industry must realize that modern IT systems are far too complex for CISOs, even potentially, to have the full picture, technically speaking.

Moreover, information systems are going to get even more sophisticated (which most respondents do expect). Therefore, a CISO’s technical competencies, though important, are secondary to the development of skills such as risk management, effective team management, and business communication. Today, staff is what matters.

Understand people, not systems

In fact, both IT systems and security technologies are now sophisticated enough to free highly specialized professionals to make business-critical decisions. Of course, that shift makes trust on the team even more important than ever. On the one hand, the information security department chief has to be able to trust the team’s specialists. On the other hand, they, too, must trust the CISO’s judgment and decisions — not blindly or without the ability to voice their opinions, but with a common cause and mutual professional respect.

According to the respondents, winning budget increases for procurement of systems is sometimes easier than hiring more information security professionals. Buying as many shiny new systems as possible may sound great, but it is much more important to identify the key skills and competencies indispensable for in-house experts and those that can be outsourced. In fact, given the shortage of specialists in the market, I think it is a good idea to regard outsourcing as an opportunity to expand the department’s capabilities and respond to business needs faster.

From incident response to risk management

Even though the role of CISO has gained importance for key stakeholders — the board of directors or CEO, for example — as before, most of the time they call for help after something has already happened. (Luckily, that seems to occur mostly to competitors or industry peers. But nonetheless, it demonstrates that many companies do not regard information security as a business risk management tool.) And, when asked how management measures IS performance, many CISOs still say that the number of incidents or incident response time are the key indicators.

Those are certainly important factors, but in the modern cyberimmunity concept Kaspersky embraces, a well-protected company is not the one merely minimizing the number of damage-inflicting attacks or quickly investigating incidents, but the one whose business can successfully develop despite such incidents.

After all, tolerable risks and acceptable potential losses through incidents are different for different companies. Sometimes it pays to loosen the grip of protection measures to boost business development. In other situations, that is not an option. The number of incidents cannot serve as the absolute measure of IS performance. How IS measures affect business task processing speed and cost are also important. Therefore, in my opinion, CISOs must above all be able to adequately assess risks and build information security systems perfectly adapted to their companies and business processes, rather than hyperfocus on incident protection.

Spend more time with lawyers

One more thing that stood out to me was answers about the importance of communicating with other departments inside the company. Lawyers should have higher priority than they do. Today, the growing complexity of IT systems and their interrelations with outside services on the one hand, and international laws on the other, mean that one cannot ignore the potential legal consequences of information security professionals’ decisions.

Respondents ranked contacts with lawyers in fourth place — after financial managers, the board, and IT department colleagues. I believe that contacts with lawyers should at least be prioritized higher than contacts with financial managers. If you view information security as a business risk management tool, that’s only logical.

The survey offers much more interesting data, so I recommend reading the full text. To download the report, please fill out the form below.