A recipe for CISO success

Article

A recipe for CISO success

A Deloitte perspective by Martijn Knuiman

What talents, skills and personality type does a CISO need to be successful nowadays? In this blog, Deloitte expert Martijn Knuiman shares his take on the current and future cyber security landscape, based on our 2021 report “Cyber security in the Netherlands: a responsibility we share”.

The issues of time, talent and relationships

The issues CISOs struggle with are mostly business oriented, and far from technical: they have to do with time, talent and relationships. This is confirmed by the survey results. It’s no surprise that CISOs are often distracted by firefighting the latest internal issues, while they also need to keep up with the latest external threats. Meanwhile, their organisation is constantly changing. They have a role to play in major transformations, but sometimes get called in too late. Amid all this, they need to set cyber security ambitions of their own and try to make progress towards them. So it’s key that CISOs learn to divide their time across issues based on urgency and importance, and to delegate.

Involved from an early stage

Many respondents highlight emerging technologies as a challenge. There’s always new malware to watch out for, and as businesses evolve, new cyber threats emerge. For example, manufacturers are building connectivity into their production lines to monitor and adjust processes. That’s a great innovation, but each access point could be a back door to the company’s IT infrastructure. CISOs need to be involved in these projects from an early stage.

 

A matter of communication

Having the right talent on the key topics reduces the challenges by at least half. According to the survey, managerial and non-managerial respondents rank the problem of “cyber risk alignment on senior stakeholder level” differently. In other words, CISOs and other executives don’t always have the same risk perception - and apparently the CISO is the last to know. That’s a matter of communication. CISOs are good at talking to other CISOs at conferences, but explaining cyber challenges such as emerging threats in such a manner that they’re easy to digest by board members is a point of improvement. Again, a non-technical and very basic challenge: managing your relationships and most influential stakeholders.

From “the department of no” to “the department of know”

This touches upon the role of the CISO, which is changing from being “the department of no” to “the department of know” - being a business advisor and an enabler. For years, CISOs needed to raise their voices to get the attention of the board, but now that they have that attention, they need to show what their added value is by delivering a meaningful contribution to the conversation. And to do so, they also need to listen. Successful CISOs are able to translate security technicalities into business language, making them better advisors. A tip: try pitching your advice in 30 minutes, then in 3 minutes, and then in 30 seconds.

A people person

So we clearly see that today’s CISO is a different type of personality. A decade ago the CISO’s main focus was on technology, whereas nowadays the CISO needs to communicate with the business and manage a diverse and inclusive team. A CISO no longer needs to rely on a deeply technical background. It’s more important to be a people person.

About the Dutch cyber security survey report

Recently, Deloitte Netherlands launched “Cyber security in the Netherlands: a responsibility we share”, a report based on a survey with 544 respondents (CxO executives, including CEOs, CISOs, CSOs, CTOs, CIOs, 70%), and IT professionals (30%). The report dives into several questions, such as: where are Dutch organisations currently when it comes to cyber security? What do CISOs worry about? How do they envision the future? How do they feel about making the Dutch digital ecosystem more secure? Part of the survey is dedicated to the perspectives of Deloitte’s experts, including the writer of this blog: Martijn Knuiman.

About Martijn Knuiman

Martijn is a partner at Deloitte Cyber Risk Services. He has been a cyber security advisor with Deloitte for 16 years. He is now in charge of the Cyber Risk Vigilant & Resilient team.

Did you find this useful?