Advice from a CISO: the art of persuasion and leadership

Published: Thursday, 03 February 2022 08:27

Despite being based on and supported by technology, cyber security remains, first and foremost, a human artform. To unpack this, Continuity Central spoke to James Nelson, VP of InfoSec at Illumio, exploring what makes an effective CISO.

Without CISOs and security teams to compose strategies, select solutions, and drive those strategies forward, organizations wouldn’t know how to protect their data, adhere to privacy and compliance laws, or support their employees. 

As such, CISOs hold a vital role within an organization, positioned as the glue that holds everything together and ensuring security runs through the heart and soul of the business. So, what does it take to be a CISO? Here are James Nelson’s views:

What are the foundations to making a successful CISO?

When we talk about the chief information security officer (CISO) role, we are referring to the person responsible for overseeing an organization's security program. A CISO could be responsible for a number of different areas, but they are all linked to keeping the organization's assets secure. Because of this, there can be this perception that a successful CISO stops breaches. While I can assure you that every security leader has this as a goal, the reality is that no CISO, and no security team, can prevent every attack on their own. Security is a team sport, and a truly successful CISO knows that it's a game of persuasion. A security leader must persuade their stakeholders to make expert security decisions – even if they're not security experts – in their day-to-day jobs, and if a breach does happen, rally the business to contain the issue and recover gracefully.

A CISO does need to be knowledgeable across the many dimensions of security. However, because they are also a bridge between technology and people, CISOs need to be expert communicators. Helping a non-technical business leader understand why the organization needs to make a complex, technical decision enables that leader to be a security advocate on behalf of the CISO.

What is more important for a CISO; skills or personality? Or both?

This is a great question, and of course I say why not both? But clearly each CISO brings a unique mix of skills to the table. Earlier we talked about how CISOs can't rely just on technical arguments to be successful, they also need to make security compelling, a critical part of the business's success. This means striking the right balance between hard skills and soft skills to collaborate with others. For a CISO, being successful can mean identifying their weak spots, and growing their skills to create that balance.

A CISO needs to persuade stakeholders at all levels – the board, executive leadership, and employees – to invest both personally and financially in their security vision. But sometimes the business may see security as a blocker for what they want, meaning that CISOs must be able to position security as an enabler, and to show how everyone wins with a healthy security posture.

How the security team is perceived by employees can also be an inhibitor, and often this is linked to the language we use. Even technology terms such as zero trust can be misunderstood. Nearly a third of the UK security leaders we surveyed feared that their employees will think their company doesn’t trust them if they implement a Zero Trust strategy – once again, evidence CISOs need to bridge that gap between technology and people. Making security concepts relatable can help build confidence and encourage stakeholders to buy into the security team’s vision.

How valuable is persuasion when it comes to conveying the importance of cyber security?

Persuasion is very valuable – I can't stress that enough. A CISO can't prevent breaches singlehandedly, but they can help everyone in the organization see the value of a healthy security posture, which ultimately can stop breaches. But even if a breach does happen, wouldn't you want an organization that was resilient, and able to recover successfully, because everyone saw the value in working together toward common security goals? I don't want to make this sound easy, as it can mean changing long-lived organizational habits. Cultivating a strong security mindset within an organization that also enables agility and growth requires empathy and patience, as well as a willingness to negotiate and collaborate. But the outcome is well worth it, for the CISO, for their team, and for the entire organization.

What are the keys to developing a cyber resilience culture?

Phishing, BEC scams, and other social engineering attacks continue to work because humans need both access and agency to do their jobs, and no amount of technology will help if a threat actor can trick someone into using that access for their own malicious purposes. CISOs can counter this by fostering a culture of security, however it's sometimes difficult to measure the effectiveness of such a program. A common metric is how often employees are required to complete security courses, but giving people information on how to spot a phishing email, for example, doesn't mean they are going to change their behaviours.

One technique meant to address the lack of behavioural metrics is the use of phishing tests, but I've found employees often don’t see the value in taking them, and the tests don't represent the most effective methods, such as multi-stage phishing attacks. Instead, talking to employees about how they perceive security both at work and during off hours can build empathy and help a security team align their awareness efforts to what will be most impactful.

As a seasoned CISO, what advice would you give to your younger self, or indeed young CISOs everywhere looking to make an impact?

A CISO’s job is to effect change, and to do this you need to build bridges, not burn them. Sometimes, however, you will need to fight battles, but you should come prepared to present facts, negotiate, and, of course, be persuasive. But pick your battles, because not every security issue is worth spending capital on. Think of security knowledge as knowing something is a big security issue when it doesn't sound too risky, and security wisdom is knowing something isn't a big deal even when it sounds really bad. Your job is to take others outside their comfort zone, but you should likewise be prepared to go outside your own comfort zone to support your stakeholders and achieve success together.

Additionally, engage with your team on the mental and emotional impact of dealing with incidents, potential breaches, and lack of resources. While we’ve certainly come a long way from making the CISO a scapegoat for every breach, there's still a tendency to blame the security leader and their team when things go wrong. Help your team focus on supporting each other, as well as using incidents as a way to learn and adapt.