Job Description: Chief Security Officer
The chief security officer directs the planning and implementation of enterprise IT system, business operation and facility defenses against security breaches and vulnerability issues.
Yesterday while writing about the federal government's attempt to profile the ideal cyber security worker, I found it interesting that in polling 50,000 people, things such as teamwork, attention to detail and interpersonal skills were ranked higher than network security and organizational awareness.
The feds are trying to standardize expectations for skills and training of cyber security workers throughout government. I've also written about a bill that would name a chief security officer for each federal agency.
In a post at csoonline.com, security career expert Lee J. Kushner lays out four essential skills that CISOs need now. Not surprisingly, they tie security tightly to business functions and in major ways rely on interpersonal skills.
Instead of thinking about what a widget does and how cool it is, CISOs need to be thinking about 'How is this technology going to affect our business? What is going to be the impact if we do this with our supply chain, or access management, or mobile apps or whatever it may be.'
2. Business acumen at a whole new level. Kushner says that security pros have to move beyond making other security pros their peer group. If they want a seat at the executive table, to be viewed as members of the executive team, they have to make business leaders their peers-and understand how security relates to business issues. He says:
Most security folks think they have business skills. But the way a security person defines business skills, and the way the CIO or the CFO or another C-level person defines business skills are probably two different things.
3. Communication, including listening. While it's important for companies of all sizes to educate workers in security, Kushner says listening is perhaps the most overlooked skill, especially in learning how to communicate effectively with different groups within the organization. He says:
Figuring out the different languages and figuring out how to translate what you're doing into a language that they respect and understand is big. Effective communication from a security leader means having a broader knowledge base, understanding the competing interests of the business, and making sense of it.
4. Leadership, no matter your current position. According to Hay Group's 2011 Best Companies for Leadership study, the best companies at developing new leaders expect all employees to demonstrate leadership. If that's not your company's practice, no doubt you have to look for ways to do so. Not surprisingly, leadership is the single-most-sought-after attribute companies are looking for in CIOs as well. Kushner says there are many ways to show leadership:
You can be an early-stage person who does a bang-up job on a project. That is leadership. Rolling out a software package or tool for a compliance issue can be a chance to take the lead. Or you can be a person who has the ability to convey thought leadership to build momentum throughout the organization to build a culture of security. Leadership is something we can't always describe, but when you see it, you recognize it.
Also check out this csoonline.com post on what's in and what's out in security leadership.