What comes to your mind when you think of information security? If you watch a lot of movies, especially the ones involving the CIA, you would imagine a nerd in a basement trying to hack into the world’s most secure places with no life other than that. When it comes to the office, you imagine him to be a nerd ( again!! probably), sitting in one corner trying to protect your corporate infrastructure. Information security only gets associated with technical stuff such as firewalls, passwords, encryption, and most importantly hacking. Look at most of the job descriptions, and they will always mention the same. A search on the “top skills a cybersecurity leader should have”, results in Simplilearn telling us about network security, cloud security, virtual machines, coding, etc.
These are important parameters but are just a small part of the skill set of an information security professional. The MOST and I repeat, the MOST important skill a cybersecurity leader needs is the art of articulation and communication. Why? Because he/she needs to be able to communicate what is right or wrong with the information security program of the organization, the risks that the business faces, and convince the board for the moolah to get the work done.
According to a 2017 survey from the Information Systems Security Association International (ISSA), the most important qualities of a successful CISO are leadership (52 percent), communication skills (43 percent), and “a strong relationship with business executives” (35 percent). A handbook on cyber-risk oversight from the National Association of Corporate Directors (NACD) states that “the CISO should be able to articulate how cybersecurity isn’t just a technology problem; it’s about paving the way for the company to implement its strategy as securely as possible.”
What are the possible ways that you can work to become an articulate leader?
When in Rome, Do as the Romans do
Speak the language as your audience. Simply put, remove the technical cap off your head when you speak to the board of directors. If you explain the business risks your organization faces in technical terms, they may just be put off by your statements. Imagine the difference -
The current firewall has XXX vulnerabilities and this can lead to a potential DDOS attack where the hacker may gain control of the systems and enhance his/her privileges to further carry out data breaches.
OR
The current threat posture of our organization is at risk due to outdated infrastructure. This may lead to a loss of around 20 Million dollars in case an attack by a malicious attacker is successful. If we upgrade our infra which requires a budget of 2 million dollars, we save 18 million dollars from a cybersecurity breach and additional millions from reputational loss.
Security is not a technology problem, it’s a people issue
According to a study by IBM, human error is the leading cause of 95% of cybersecurity breaches. In other words, if human error was somehow eliminated, 19 out of 20 cyber breaches may not have taken place at all!
There are thousands of products in the market that can solve the technical issues at hand. What we have are people's problems. Poor communication. Politics. Power struggles. And these missing skills for cybersecurity create the same challenges that every other aspect of the business faces.
Taking a soft-skills approach to cybersecurity can pay more dividends in terms of security effectiveness than any technical skill ever will. This has been known for a while. Still, technical knowledge seems to trump everything.
Look at any of the job descriptions in the market out there, you will only find technical terms. There is hardly a mention of communication skills and even if that is done, it’s just for the namesake.
What's needed to solve modern information security challenges is for IT and security professionals to focus less on technical issues and more on people issues. I think it's safe that say that 80% of an effective information security program involves people skills. Oddly enough, it seems that no one has ever taken a course in such skills for cybersecurity.
Aim for the bull’s eye
Stop beating around the bush and focus on the key message. A message that is crisp, clear, and to the point makes a far more impact on the management and the board than talking in circles. A CISO or a cybersecurity leader needs to be clear about the ask he has from the management and at the same time, be clear on the risks or the message he/she wants to communicate to the board.
Taking a soft-skills approach to cybersecurity can pay more dividends in terms of security effectiveness than any technical skill ever will. Technical skills are a dime a dozen. Tons of smart people in the field can solve technical problems. But technical problems aren't what's holding security back. It's the people, communication, and business skills for cybersecurity that are lacking. At the same time, cybersecurity is not an IT problem anymore. It’s a business problem. Becoming an effective cybersecurity leader requires you to speak business as well technical in different constructs.
Just know that you don't necessarily need more products, and you don't need more technical skills. The magic solution is not a new product, but rather an articulate leader who can articulate the problem at hand. CISOs must adapt their communication style and substance to ensure the various stakeholders are properly informed of what is being done, why it’s being done, and how decisions made at every level of the business might impact the organization’s cyber-risk profile. That will help improve your cybersecurity posture.
What do you think of the importance of soft skills in the cybersecurity field?
Comments ()