Over the past 20 years, the CISO role has slowly evolved from technology-focused to business-focused. Our efforts to get a “seat at the table” in the C-suite have succeeded, for the most part. We are now consulted on all kinds of strategic decisions and seen as a business enabler, not just a “cost center.” Other corporate leaders ask for our perspective on how to achieve business objectives while minimizing risk to the organization’s data, applications and technology infrastructure.
We earned this position by keeping a tight grip on the systems and teams involved in securing corporate resources, maybe too tight a grip at times, but we have matured into today’s security and risk business leaders. Our job was to assure stakeholders they were protected, even as we got to approve whatever the business wanted or needed to do, and we did that job by maintaining strict controls. This style had a more favorable success rate when a fully onsite team was managing a fully on-premises infrastructure.
But traditional command-and-control security management is not a great fit for the 21st-century organization. Our teams are rapidly transforming, as are the resources we’re protecting. Even before COVID-19, businesses were rapidly increasing their reliance on remote staff and cloud-based applications and data; the pandemic was an accelerator or forcing function.
Now, our teams look different, the networks we’re protecting look different, and it’s time to change our strategies and management style as well. All CISOs need to think, “hybrid.”
Hybrid is here to stay
Security staff became highly dispersed for a couple of reasons. One, of course, is that COVID-19 sent everyone home. Members of security teams—like all kinds of knowledge workers—went remote early in the pandemic to avoid face-to-face contact with co-workers. Then they demonstrated that they can be just as productive offsite as they are in the office, and many of them came to like working from home. One recent survey found that 77% of remote workers do not want to return to working onsite full-time.
Another reason is that hiring has become even more difficult. CISOs have complained for years about the cybersecurity skills gap. COVID-19 exacerbated the problem by causing some workers to drop out of the labor force due to health concerns, lack of childcare or other issues. The “Great Resignation” is making positions harder to fill, driving many CISOs to look for talent elsewhere, even overseas. An organization that needs data scientists or threat hunters, for example, may not be able to hire expertise for those positions locally. In response, CISOs have had to become innovative in staffing. If the right talent is overseas, we might soon be managing staff in a part of the globe to which we’d never previously given much thought, and the same goes for a domestic locality. The positive effect is that we now look everywhere to find the best and most diverse talent to transform our teams.
Creativity and flexibility are the name of the game for the modern CISO. However, geographic expansion comes with the pressure to develop sudden expertise and be considerate of the political climate. As we consider hiring abroad, we need to understand the potential ramifications if public opinion toward the U.S. swings negative, as well as the types of events that might increase risk to our business in that country or region.
Motivating the hybrid team
At the same time we’re building political expertise, CISOs need to develop new management strategies to boost engagement and a sense of community among all employees, including those in the office, those who are remote but local and those on the other side of the world. Some executives still cling to the belief that working from home means getting less done, but the pandemic has shown us that engaged workers are productive, regardless of where they’re physically located.
Whatever the shape of a hybrid team, employees need an environment where they can communicate and where they feel valued. Fostering such an environment is a core responsibility of the modern CISO.
It might mean more meetings and brainstorming sessions, but there’s more to consider within this new digital environment. I know everybody in corporate America is suffering from Zoom fatigue right now. With that said, meetings don’t have to be tedious. A brainstorming session that would last two hours in the office might take 45 minutes on the phone, with a structured approach, an aggressive agenda, and the team agreeing to revisit the topic later.
Finding the right tools to motivate hybrid teams will require CISOs to repeatedly adjust our management styles. We need to commit to continuous improvement of our own leadership, to find the most effective ways to promote connections among employees and keep them engaged in work. Hopefully, we’ve already set the right tone in terms of culture; this becomes much more difficult, if not impossible, to build when everyone rarely sees each other in person. The idea is to be present as a leader, no matter where the teams work, as your presence is a catalyst for productivity and reassurance.
Keeping an open mind in hiring
CISOs also need to make adaptations to their hiring strategies by shifting from hiring specific technical skills to hiring capabilities and outcomes. The pace of change in security technologies is only going to accelerate. The way I see it, I can always teach someone the technologies we use.
My top priority in hiring is to find people who are passionate about security, are flexible and interested in learning and have the right mindset to fill the open role on my team. Financial analysts, for instance, are used to a structured way of thinking that can translate well to security analytics. Marketing skills are also invaluable. In the hybrid world, marketing security to the broader organization is crucial. CISOs, who are great at technical explanations to an expert crowd, may have no idea how to contextualize and communicate in a way that the non-technical C-suite, or for that matter, the rest of the company, will understand.
The bottom line is: The right person for an open security job may already be working in a different position or department within the company. Alternatively, a great candidate may live on the other side of the globe. Either way, it’s up to the CISO to find the right person, then adapt the workplace so employees throughout the hybrid workforce are both productive and satisfied.
CISO attitudes of the past need to go the way of the five-year plan. The threat landscape and attack surface are changing fast, and we have to perpetually adapt to survive. It’s a challenging time to be in security leadership, for sure. But, with the opportunity to continue improving, and to protect the company from whatever external threats may arise, we have a chance to lock down that seat at the C-suite table.