The CISO Brief

In the fast-paced field of cybersecurity, new CISOs have a brief period to establish credibility, develop their strategy, and show business value. You are expected to be proficient in managing operations, architecture, vendors, compliance, risk, and staying updated with the latest technology.

To assist in your success, we’ve created a field guide based on 50 years of combined cyber experience and insights from more than 20 CISO executive transition labs across various industries.

Your success in the first 180 days hinges on effectively managing three key resources: time, talent, and relationships. In this issue, we’re diving into talent.

Part 2: Talent

While some CISOs may be fortunate enough to step into a well-functioning cyber organization with minimal changes required, it’s more common for a CISO to inherit an organization that needs some form of improvement and restructuring to keep pace with the company’s evolving needs.

It’s the CISO’s job to foster the right skills and clarify responsibilities for their team. Technical skills are important, but risk functions require team members with certain intangible capabilities, such as the ability to collaborate, communicate, and work effectively in a team environment.

It is crucial to hire the right staff and realign teams. Prepare yourself for the challenges ahead, such as cyber talent scarcity, rising compensation expectations, and the need for technical and leadership training.

By equipping yourself with objective and factual knowledge, partnering with HR representatives, and tapping into your network to identify qualified talent, you can position yourself as a highly effective CISO.

Fostering high-quality talent at every stage

With so many open jobs to choose from, many cybersecurity professionals are seeking a company that will actively invest in their growth and career.

A solid way to differentiate your business is to think about the full life cycle of an employee’s career—not just the hiring process. CISOs can make active changes in each of the six life cycle stages.

1. Grow

Find innovative ways to expand the pool of cyber talent. Today there is a focus on educating youth about the importance of a science, technology, engineering, and math (STEM) education and STEM-related career paths. While this focus is important, organizations also need to look outside of STEM programs for future talent. Different skills and backgrounds are needed across the personas of the cyber talent framework.

2. Recruit

Build your organization’s visibility and attractiveness. Build on your brand with a strong value proposition. Broaden your talent pool by engaging nontraditional talent such as midcareer shifters and veterans. Attract candidates by creating postings that outline the required skills and training trade-off. For example, “If you have these foundational capabilities, we will teach you these advanced skills.”

3. Onboard

Jump-start the process of becoming part of the organization. It’s crucial to provide immediate engagement and development for new hires. Connect them with groups outside of cybersecurity to help them build relationships and an understanding of the business. Offer mentorship programs or training that sets up a clear path for a future at your organization.

4. Develop

Invest in employees to make cyber a career, not just a job. Help them build and refine their skills by providing opportunities to stay current. Encourage them to enroll in classes and conferences and to pursue certifications. Partner cyber talent with peers from adjacent roles in the talent framework to extend their skill sets and broaden learning.

5. Retain

Make retention a priority. Organizations that invest in people who are aligned to their talent value proposition are typically better equipped to attract and retain the type of talent needed to remain competitive. However, it is important to recognize that it is impossible to retain everyone, so you need to be strategic. Identify high-performance talent based on their future potential, leadership skills, hard-to-replace capabilities, and value as role models—and then go the extra mile to keep them.

6. Offboard

Maintain hard-won relationships. In a high-demand market, it is inevitable that some team members will choose to leave. However, it may not be forever; they may be future rehires down the road. You want former employees to speak favorably about your organization when they participate in knowledge-sharing communities. Help people find the right external opportunities if your organization is unable to meet their needs and learn valuable lessons for improvement whenever someone does.

To effectively execute plans, build trust, and drive cybersecurity initiatives, new CISOs must navigate the triad of time, talent, and relationships.

This field guide provides CISOs with insights to succeed and navigate the ever-changing cyber landscape while prioritizing business objectives. As a CISO, you can make a significant impact on your organization and society. By leveraging this guide, you can confidently position yourself as a leader and achieve your goals by focusing on relationships.

Cyber doesn’t exist in a bubble

Developing and maintaining a broad and diverse network is critical for a CISO’s professional growth and advancement, but sometimes a CISO’s relationship with the business can be hindered by the organization’s history. Depending on the previous culture, the CISO may inherit a cybersecurity team that is perceived as an “Office of No” rather than a business enabler. In some cases, the CISO will need to repair relationships between the cyber team and the rest of the company.

This can be a challenging task that requires talent adjustments, culture shifts, and a strong commitment to consistent timelines. There are no quick fixes, but a concerted effort can yield positive results.

Relationships with other C-suite titles

It’s crucial to establish strong relationships early on, especially with the chief executive officer (CEO), chief financial officer (CFO), chief risk officer (CRO), chief legal officer (CLO), chief data/technology officer (CDO/CTO), and chief information officer (CIO). Without their support, it can be challenging to cultivate a culture of risk awareness across the organization, contribute to strategic decisions, and earn a seat at the executive table.

Building a network of peers, including other CISOs, can also provide valuable guidance and support. However, it’s important to note these relationships take time and must be earned through a mix of business, financial, and risk acumen.

Relationships with the board

Often, the CISO is translating not only cyber risk, but how it intersects with enterprise risk and technology risk. This requires building relationships outside of cybersecurity to bring data into a unified report and to make sure board members and executives have the right understanding of that risk.

For example, imagine a large financial institution is planning to launch a new online banking platform. The CISO needs to ensure this platform is secure from cyberthreats. However, the CISO’s role isn’t just about identifying cyber risks; it’s also about understanding how these risks intersect with broader enterprise risks (like regulatory compliance and reputational damage) and technology risks (such as system outages or data loss).

To do this effectively, the CISO needs to build a network with various departments, including IT, legal, compliance, and marketing. By collaborating with these teams, the CISO can gather comprehensive data on potential risks and create a unified report that highlights cyber, enterprise, and technology risks.

Relationships with external firms

Collaborating with market-leading firms can helps CISOs improve their organization’s cybersecurity strategy plans and make better decisions. These companies bring valuable experience and fresh ideas, helping to cover any skill gaps and offering new ways to tackle security threats. Building long-term relationships with these firms encourages ongoing improvement, aligns everyone on common goals, and ensures clear communication, leading to stronger and more effective cybersecurity practices.

Relationship with internal audit

Another relationship a CISO should prioritize is with internal audit (IA). Mature organizations use the IA function as a second set of eyes—to vet new solutions or initiatives, to get budget support, or to highlight risks that aren’t getting attention.

Cyber teams can sometimes feel like IA is hindering the team’s goals. But this point of view often stems from a poor relationship or lack of communication.

In conclusion

Remember, cybersecurity does not exist in a vacuum. It requires a concerted effort to integrate cyber risk with enterprise and technology risks, ensuring that all stakeholders—including board members, executives, and IA—have a comprehensive understanding of the threat landscape.

As you move forward in your journey, prioritize building these critical relationships and consider taking advice from market-leading firms that have a broad perspective. They are the foundation upon which you can create a resilient and forward-thinking cybersecurity strategy that not only protects your organization but also empowers it to achieve its objectives.