CISO Softskills Handbook

A Gated BRAINTRUST of the Wisest in IT

W I S E G A T E A N S W E R SG U I DA N C E & C OAC H I N G H A N D B O O K

A CISO Handbook to Effective Leadership & the Art of Influencing PeopleLearn how veteran CISOs earn recognition as good leaders and gain the support of others

IntroductionWhether or not you care about being the life of the party, the role of CISO demands more than just

technical skills. It also requires the ability to understand business needs, build cross-functional support

and mentor the next generation of security leaders. These soft skills arent always easy for security

practitioners. As one Wisegate CISO explains,

By exchanging strategies and tips with their peers, Wisegate Members are investing in them-

selves, proactively improving their management skills and growing as IT leaders. In this report,

Wisegate makes available veteran CISOs leadership strategiesthat are typically shared only

between Wisegate Membersto the wider IT security community with advice in 4 key

areas:

Understanding the importance of soft skillsWhat leadership skills are

necessary for CISOs and can those skill be learned?

Building influence and alliances within the organizationHow CISOs build cooperation and collaboration across the organization

(even if they lack executive authority).

Mastering the art of effective communicationStrategies CISOs can

use to clearly make their point and sell their vision to the business.

Identifying and mentoring future security leadersWhy its important

for CISOs to find and develop new security leaders within their team.

No offense to anyone out there, but technologists can be socially inept. We often feel much more comfortable sitting in front of a screen and a keyboard than having a face-to-face meeting.

Understanding the Importance of Soft SkillsThere is no question that technical skills are necessary for anyone working in IT, but as you

move up to executive levels, other skill sets come to the fore. As a Wisegate CISO notes,

A Healthcare CISO explains,

A recent survey of

Wisegate Members ranked

Collaboration, Strategic

Thinking and Influence as the most important skills for

security leaders.

What skill(s) do you consider

essential in order to succeed

in your organization?

It was very much a learning experience when I hit the CISO level to find out that I needed to play nice with others in the sandbox. Not that I never did before, but its a game-changer most certainly.

You have to be friendly, able to communicate well, a salesman of sorts, have people respect you, and have a high level of common sense.

Wisegate Membership Has Its Advantages

Learn how your peers use Wisegate to gain IT knowledge and advice.

Wisegate Members are some of the most experienced IT and security executives and managers in the worldand they trade the knowledge theyve gained through experience using Wisegate.

Sharing the Wisdom of IT Experts We dont allow vendors,

analysts or IT rookies join. 100% of Members are senior-

level (IT executive, director or manager).

91% of Members have 16+ years experience in IT.

Schedule your tour today! wisegateit.com/resources/book-a-tour

CISO Guide to Effective Leadership & the Art of Influencing People

Source: Wisegate, October 2013


It undoubtedly takes a special type of person to successfully step into the role of CISO. A Wisegate

Member describes the many hats he wears in the role of CISO as,

The acquisition of soft skills isnt always easy or comfortable for all security practitioners but with

commitment the necessary skills can be mastered. As a veteran CISO notes,

Building Influence and Alliances within the OrganizationAs the above survey results illustrate, collaboration and influence are two key skills for security leaders. But since information security officers often lack executive authority over the rest of the organization, they must harness other skills to foster cooperation and collaboration. As a CISO in the

Banking and Financial Services industry states in reference to the above survey,

Learning how to build win/win relationships is critical to success. As a CISO describes,

I feel like were part politician, part therapist, and part lawyer. I had to learn through my career to get away from my desk, and go talk to people. Its taken a number of years, but now people who just meet me classify me as an extrovert.

Its necessary to build alliances within the organization so that you build a rapport with these people, and understand whats important to them. As soon as you start supporting them, theyre going to turn around and support you. All leadership skills are important, but influencing without authority stands out.


Success TipsBuilding alliance within the organization is no easy task, but Wisegate Members offer the following 4 success tips:

Tip #1: Keep people informed with digestible updates Influencing others and building cooperation is an ongoing process that takes place on a daily basis. As a first step, you should continually keep others apprised of what is happening. Giving

a complete view of a situation can be lengthy and complex, so

find ways to cut your updates down to the most essential points, communicate those in a concise manner, and provide access to

additional data that people can explore if they have the time or

interest.

Tip #2: Think like a negotiatorAlong the way, it is vital to concentrate on what is most important

to the business and to start thinking like a negotiator. This includes

discover-ing what business units are working on in the next year,

and what challenges theyre facing. Then you can figure out how security can support these goals and initiatives.

A Healthcare CISO explains,

Key to Success:Figure out how security can support the goals and initiatives of the business people you are working with.

Key to Success:Cut updates down to the most essential points and communicate in a concise manner. All leadership skills are important, but influencing without authority stands out.

A Municipality CISO describes his recommended approach as,

An Information Security Officer from the Healthcare industry adds,

Let them know whats in it for them and why its important. Youve got to look at it from their point of view; they dont care about the mechanics or the technical nature of it. It needs to broken down into: What does it mean to the business? Are you going to slow it down or speed it up? And can you be a business enabler?

You have to overcome the old security manager reputation of saying No and show that youre all about business enablement. I tell my managers that Im here to not only help them do business, but to do business securely. I see the security managers job as the enablement of secure lines of business communication. But, I have to keep in mind that security should be in alignment with the value of the data. Putting in gates and security for low levels of information will be perceived as overkill.


Tip #3: Make their job easier To be successful you will need to gain the trust and support of

others across the business by showing them that you will make

their job easier, not encumber them with additional rules that keep

them from doing their job.

A Senior Security Manager for a Manufacturing Company says,

Sometimes restrictions are necessary. In such cases, help

others understand why these actions are being taken and the

consequences of not adopting your recommendations.

The Director of Information Security for a Logistic and

Transportation Company states,

Tip #4: Act in service to othersThe ultimate way to gain trust is by delivering what business

units want. Security leaders can no longer afford to be viewed as

a barrier to business. Sometimes this requires CISOs to ask their

security teams to think creatively, as a Wisegate Member explains,

It is better to meet the needs of the business rather than be

circumvented as a Director of Data Services states,

Let them know you want to take out the complexity and make it easier but more secure for all. Security is here to help not hinder. If you can show this, youre on your way.

We have evolved all our people to think, not no. No is not the answer. Its how. How do we enable the business to do what theyre trying to do in a safe manner or as safe of manner as possible?

We all want to enable the business and make their lives easier whenever possible. If you are doing that, the business will be more understanding when something does need to be taken away.

We make sure that we deliver what our business units need in a timely manner. We do this to help business as well as reduce the possibility of shadow IT Groups.

Mastering the Art of Effective CommunicationThe key skill for gaining cooperation and collaboration is the ability to communicate.

The Director of Information Technology of a Banking and Financial Services Firm states,

If you cannot write and speak as a member of my management team then you probably are not someone I want interacting with the rest of the organization. I can teach someone technical skills, how to analyze data or even to think more globally, but if they cant articulate that vision or strategy then it doesnt matter how good they are.

Communication is a broad topic, but it is a skill that can be learned.

7 Communication Strategies from Wisegate Members


Strategy #1: Know your audience Before planning a paper or presentation, take some time to analyze

who will be receiving the communication. It helps to know their

interests, their concerns and their level of technical understanding.

A Wisegate Member states,

The Director of IT Risk Management for a Financial Services Firm

says,

Strategy #2: Be a detectiveSometimes a little legwork goes a long way in ensuring success. One

Financial Services Risk Manager says he surveys other executives

to find out the best approach given the audience. As he states,

A SECRET TIP: THAT MIGHT NOT BE SO OBVIOUS, BUT ITS TRUE

Administrative assistants can be extremely helpful as well, as a

Wisegate Member shares,

As I spend more time presenting to our executive team, I realize that you have to appreciate how each of them likes to digest the information.

Administrative assistants and executive assistants are invaluable. Theyll tell you exactly what the executives personality is and how to be successful.

Some people skip straight to the point and dont really care as much how you got to this conclusion they just want to know what the meat of it is. Other people want to look at all the other things you considered.

You can gain insight from other executives who present on a regular basis. Theyre usually happy to share the information of what works and what doesnt, and will generally help review any proposed presentations you have or any messaging to help you refine it.


7 Communication Strategies

Strategy #3: Understand the importance of sales and marketingSometimes the CISO role requires sales and

marketing. If a business audience doesnt get the need

for security, it might be necessary to sell them on

security first, before getting to the main point of the paper or presentation.

A Local Government CISO says,

Strategy #4: Watch your languageWere not talking not swearwords (though you may

want to be careful with those), but your tech terms.

Unless your audience shares your level of expertise, you

may as well be delivering the talk in Medieval Latin. So,

pick the language they speak, not your own. Even if you

are careful to define the terms and abbreviations early on, every time they have to stop and think back to what

you said earlier, you have lost their attention for at least

that portion of the presentation.

A Wisegate Member recommends, Some executives think information security is just an add-on thats not needed. In other cases, they really get it. You have to discover who youre addressing and where theyre headed, and that takes time because theyll shut your message off if you begin with the wrong slant.

Stay away from technical jargon and abbreviations because theyll glaze over. Youve got to take all that out and distinctly say what youre trying to say to them.



Strategy #5: Clarify your message Not only do you have to eliminate IT jargon, you have to know

how to translate information into the language of the audience

whether its the language of business, personnel, finance or education. Take the time necessary to deliver the exact message

you want, without getting sidetracked or causing the audience to

become lost or bored before you deliver the main message.

The IT Risk Manager for a Financial Services Firm explains,

Strategy #6: Focus on the result It is easy to get caught up in the nuts and bolts of a solution, but

that is not what the audience wants to hear. They are likely more

interested in the problem that needs to be solved and what the

result will be from implementing your proposed solution.

A Wisegate Member states,

For every five-minute presentation, I spend hours refining that message and making sure that the points are clear, that its not cluttered and that they really get out of it what they were looking for. It needs to come home to themwhy they should care about this and how it impacts whatever areas theyre responsible for.

You should start with why youre there, what youre trying to accomplish, how youre going to do that, and the results of that. If you can

summarize that quickly theyll appreciate it.



Strategy #7: Keep their attention For live presentations, it may be fun to create a detailed PowerPoint presentation, but that can work against you. In most cases, people

dont want to wade through too much detail.

The Senior Security Manager for a Global Consumer Electronics

Firm states,

TIP: ADD SOMETHING HUMOROUS (WHEN APPROPRIATE)

The Senior Security Manager for a Global Consumer Electronics

Firm gives the following example of a presentation he gave to the

president. He had done a gap analysis and examined some old

internal tools that never really workedand everybody complained

about. As he shares,

If I can make it work, its better to set it up so the first sentence or first bullet point answers their question. Make sure its just straight to the point. Within that first 15 minutes, if I see executives drifting off, Ill have to do something. I always throw something in there to make it a little humorous. Ill add something just to catch everybody off-guardand make sure that theyre still awake.

I listed the tools, and then I put sucks, and I did another one and it said, sucks more, then the third one I put really, really sucks. They laughed at it, but then I put the politically correct one after that. I just did that just to break the ice.

Identifying and Mentoring Future LeadersUnless a CISO can handle all the leadership duties within the organization, a CISO needs to

foster others who can move up within the information security ranks. So how does one find a good candidate to groom for a leadership position given all the hats required?

Here are some of the qualities that Wisegate Member CISOs look for:

TenacitySomebody whos outgoing, who isnt afraid to take on challenges and whos determined and tenacious in getting things accomplished. As CISOs, we have to try again and again and again.

VisionBeing able to see past the current state, faults and shortcomings and have a vivid image of what state you need to move your program to, and then being able to articulate that vision clearly to others.

Understanding of BusinessIf they dont understand the business, they will never be good security officers. Its extremely important for them to know what the business is, what the mission is and what the leaders of the organization want to protect.

VersatilitySecurity professionals have to be versatile, so Im always looking for somebody who can just wear a lot of hats no matter what theyre doing.

Solution OrientedIm looking for someone to bring me a solution, and someone who can sit down and explain it to me, what theyve thought about and what their opinion is. That shows me that theyre somebody who is willing to take the time and effort to look at a problem from both sides and try to find a good workable solution.

Developing Skills in Emerging LeadersOnce a potential security leader has been identified, how does one go about grooming that person for a more senior position? A Wisegate CISO Member states,

Heres how Wisegate Members help develop the skills of their future leaders: Communication SkillsFor those who are not naturally great speakers, several of the

CISOs recommended participating in Toastmasters. To improve written presentations, college and online business writing courses can help.

Business ClassesI recommend others to take some basic business courses, says one CISO. Its not that you have to go after another degree, but you need to understand the basics.

Cross-functional TeamsTo develop collaborative skills, someone can be assigned to a cross-functional team. Not only does it help the employee grow, but it provides a manager insight into how that person interacts with others. When youre working with others on a cross-functional project, you learn their traits and personalities, says a Wisegate Member. By giving them the opportunity to lead cross-functional projects according to their skills and experience, it helps them grow by osmosis.

Learning by ExperienceI let them handle some day-to-day situations, says a Healthcare CISO. Theyre going to learn by the incidents that come up in order to develop the toolkit they need.

Assigning ResponsibilityThey have to assume some accountability, and thats going to lead to credibility which is vital in any CISO.


Spend time with these promising folks. Take a look at their skills, just in inventory, and help them with the skillsets they might need assistance with.


Weighing the Importance of CertificationsIn addition to these skills, what about technical skills, and exactly how valuable are security certifications?

Wisegate members weigh in:

Certifications build credibility I believe them to be vitally important, says one CISO. Im going to go with the essence of why the certifications were created in the first place, and that was to provide the business world with an assurance of somebody having a baseline knowledge of information security and/or how to manage information security.

A good way to get in the door Its a basic requirement if youre talking to a recruiter and an HR person, because those are the keywords theyre looking for, says a Financial Services Security Executive. Lack of certification makes you stand out and you will have people questioning why you didnt put in the effort to sit for a six-hour exam for this CISSP.

CISM maybe more valuable than CISSP for CISOsOf the CISSP and CISM, the CISM was viewed as more valuable for a CISO. If Im hiring people, Im looking for something like a CISM to show that you spent time to study, says the Municipality CISO. If Ive been working with somebody for a while and know their technical chops, its not as important because I know who they are and what they can do.

Experience trumps the certificateBottom line, it comes down to experience. So when looking for someone to move up into management, security certification is not always enough. As a CISO states, Comparing a candidate with only a CISSP to another with a CISSP and some server and network certifications, for example, I prefer someone with a more rounded background.

In ClosingAs the role and responsibilities of CISOs continue to expand, current and future

security leaders will need to develop the soft skills necessary to thrive within the

business and ultimately establish influence without executive authority, master the art of persuasion through effective communication and nurture the next

generation of security leaders.

Being part of Wisegate keeps senior IT practitioners abreast of evolving

security management trends and informed on which approaches their peers

find effective. In-depth discussions on how CISOs overcome career challenges using effective leadership strategies continue online at www.wisegateit.com.

IT experts. Trading IT knowledge.Wisegate is an IT expert network and information service that provides senior-level IT

professionals with high quality research and intelligence from the best source available

their peers. Through live roundtable discussions, detailed product reviews, online Q&A and

polls, and timely research reports, Wisegate offers a practical and unbiased information

source built on the real-world experience of veteran IT professionals. No analyst theories or

vendor bias to cloud the information, just clear and straightforward insight from experienced

IT leaders.

Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

PHONE 512.763.0555 | EMAIL [email protected] | WEB www.wisegateit.com

CISO Softskills Handbook

Documents

Transcript of CISO Softskills Handbook