by Jason Hicks, Global CISO at Kudelski Security
No matter how good a CISO is, there aren’t enough hours in the day to handle the myriad of new responsibilities that have been thrown at them. To be effective and ensure a strong security posture, CISOs need a lieutenant to head up each domain that falls within their scope.
Given all the challenges CISOs are likely to face moving into the new year – from supporting a permanent remote workforce and accelerating digital transformation to preparing for an expanded threat landscape – it is more critical than ever that they bring on strong deputy CISOs.
2021: The year of the security lieutenant
Every year we talk about the shortage of cybersecurity personnel, but it is a challenge that continues to put pressure on companies generally and CISOs specifically. One of the biggest reasons for that challenge in the security industry is the lack of effective grooming for future leaders. When organizations need to hire a CISO, they generally have to look outside for a candidate with prior experience in the role. If this trend continues, the industry will be hard-pressed to ever overcome the shortage of qualified security leaders.
This year, the skills gap will be especially acute for small and medium-sized businesses who cannot afford to hire nor retain the right candidate. That is why finding and training security lieutenants from within needs to be a priority, both for CISOs to be successful in their role and to ensure their organization has qualified individuals who can take the reigns as CISOs of the future. Further, that training needs to start early since it can take an average of three to four years.
Mastering the lieutenant role
Deputy CISOs serve as the second in command, helping CISOs identify, track and respond to current security risks and oversee the implementation of new processes and strategy.
There are eight vital competencies that every security lieutenant – junior or otherwise – needs to master:
- Understand the business. Security is different for every company. It is about mitigating risk, and if a lieutenant doesn’t fully understand the business’ crown jewels, they’ll waste a lot of time chasing down the wrong perceived risks. Lieutenants should spend at least a few weeks working on the front lines of the business to ensure they have a good understanding of how the organization’s systems are used in the real world.
- Support the CISO in managing risk across security domains. This should be a given – managing risk is a huge part of security, and deputies should be heavily involved in this function.
- Maintain lines of communication across regions and business units. For a long time, the security team has been siloed and kept separate from other company departments. It is time to break down those silos. Collaboration between the security team and the rest of the organization is a must, both to advance security objectives and to improve the overall health of the organization.
- Oversee the implementation of security controls and policies. Every security deputy should have the technical knowledge and experience to identify and oversee the implementation of suitable security controls and policies starting with basic hygiene. Identity and access management (IAM) plays an important role, and lieutenants need to take the lead to ensure assets – from people to data – are kept safe.
- Listen to business needs and look for ways to support them. Security should never be seen as a ‘blocker,’ but more as a business enabler. Security leaders and deputies should promote security by proactively building relationships across the organization and being able to explain how stronger security also supports business objectives.
- Always be ready to embrace change. Change is a constant theme in security, and professionals should never shy away from it. They should drive cultural change based on risks and employee behavior and promote security throughout the organization.
- Understand technology, risk, security and organizational context. Most security professionals are highly technical; however, far fewer have a deep understanding of how security fits into a wider business context. Even fewer have first-hand experience measuring, tracking and managing security risk in an evolving business environment.
This mixture of skills, knowledge and experience is critical. CISOs should choose deputies who actively work to develop these areas throughout their careers.
- Educate the organization on cyber risk and readiness. Breaches from human error have cost companies $3.50M in 2019 alone, which can be at least partially attributed to the majority of employees’ lack of understanding about security and how their actions affect the security of the organization. Creating an enterprise-wide security culture is something all security professionals should strive to achieve, and it’s particularly important for security leaders.
Security isn’t something that can be achieved by the CISO alone. It requires the support of the full security team and the whole business. Through 2021, we will see how organizations and security leaders will start to include in their plans how to reduce the talent gap and leverage internal talent to train security lieutenants.
The next generation of security leaders will need to take every opportunity to educate their colleagues about security best practices and cyber risks, as well as how security is an enabler for achieving business outcomes to help grow their own skills and ultimately protect all the entry points to their organization.
About the Author
Jason Hicks is Global CISO at Kudelski Security. Jason is a veteran information security and risk management executive with CISO experience in the finance, retail and logistics industries. Jason leads Kudelski Security’s Advisory Services strategic and business development practices where he advises clients on risk management strategies and expands the firm’s engagement with top security executives across the world. Prior to his current role, he served as the global CISO for Ares Management LLP, a multi-national alternative asset manager, with more than $140 billion in assets under management.
He was a main contributor to Kudelski Security’s Cyber Business Executive Research: Building the Future of Security Leadership.