Talking security

Rhonda MacLean has spent more than 20 years in the information technology industry. Past roles include head of Bank of America’s Corporate Information Security Group and head of information security at The Boeing Company. She also sits on the Global Council of CSOs, a think tank of senior cyber leaders from the public, private and academic sectors.

CXO. In a recent article, Dave Cullinane, CISO at Washington Mutual, wrote: “Think about the responsibilities of today’s CISO/CSO. The last time I counted, there were more than 40 domains of security expertise required of a CSO – and that doesn’t include all the business and financial expertise that you need to be successful.” Is the CISO/CSO under pressure – and why?

RM. Pressure? It comes with the territory. A CISO/CSO role by nature has enormous pressure. The challenge is ensuring one stays calm and demonstrates positive leadership whether it’s ‘business as usual’ or ‘in the line-of-fire’. The CISO/CSO sets the stage and others will take their cue from the demeanour and reactions of the senior security executive within the organisation.

The role of the CISO/CSO requires multiple skills in today’s complex global business environment. I would compare it to the skills that companies look for in a CIO. You need to be able to understand your company’s business objectives and articulate effectively at all levels of the organisation on how the security organisation supports them. The ability to effectively work and build alliances across the various business groups within and outside the organisation is the key to success. Building and nurturing strong relationships can make the difference between success and failure. This is not a job for a loner.

I believe we are seeing the CISO/CSO role evolve because the job demands broad-based business, technical and people skills. One reason some CISO/CSOs are feeling the pressure is they either lack experience or lack confidence in the business and people areas. Many have grown up through the technical ranks and are experts in security. It takes much more than being the ‘expert in security’; it takes being an effective business leader who can manage relationships and influence others.

CXO. What are the key attributes that all good CISOs/CSOs need today?

RM. They need to know their business, know the security and risk environment and best practices as part of the basics. But beyond what we see as skills in many job descriptions, good leadership skills make the difference between those who simply survive and those who really make a difference to their organisations. Some basic examples would be:

• The ability to present a clear and compelling business case as well as using facts and data to influence others (this is absolutely critical).
• The ability to deal effectively with complex issues.
• Adapts quickly to new demands and challenges.
• Inspires and motivates others to constantly improve security practices and operations.
• Projects confidence and optimism in the face of adversity.
• Uses failures and mistakes as opportunities to learn for the future.
• Cares about team members and partners and treats them with respect.
• Takes personal responsibility for professional development and seeks coaching from multiple sources.

These are just a few of the leadership skills a good CISO/CSO should aspire to demonstrate on a daily basis. Strong leadership skills can really make a difference in being invited to the table with other business leaders within their organisation. This is where influence starts and results can be measured.

CXO. The CISO/CSO is responsible for protecting people, property, information and reputation. How important is technology to this process, and how important is good training and common sense? Is there a ‘best practice’ solution or a set of widely applicable guidelines to improving corporate security?

RM. Best practices start with a simple framework, which is comprised of people, process and technology. It is the effective application of solutions to each of those components against the concepts of prevention, detection and responding and recovering within which CISOs/CSOs must weigh their choices.

Effective application of best practices can be applied in the intersections of this framework. The job would be easy if everyone’s business required the same structure or solution set. This is where a good CISO/CSO can build the right mix with the right solutions based on their company’s unique risk tolerance and business needs. There are plenty of published best practices for CISOs/CSOs to use to help them determine the best application supporting their company’s business needs. Some of these best practices are generic but many associations provide industry specific guidance, which can be very useful for organisations that want to leverage resources already available.

CXO. Security is vital – but do CISOs/CSOs have a place at the table yet? Can they provide business leadership? And if so, how?

RM. There is no consistency throughout the profession. Those who are speaking the language of the business and demonstrating strong leadership definitely have a place at the table. They are also the ones whose organisations place a value on security and resiliency risk management as part of their overall business strategy.

For those who haven’t made it to the table yet, don’t give up. Here are some strategies that I have found to be extremely useful over the course of my career:

• Make sure you know your company’s strategy and objectives.
• Ask business leaders in your organisation some basic questions. What are your challenges in helping the organisation/company reach its goals? What is at the top of your mind? Remember: it is essential to ‘listen’ before trying to be understood.
• Formulate an action plan.
• Find a mentor and a business champion.
• Take your place at the table.