Yet Another We Said/He Said: What Skills Do Your CISOs Need Now?

Once again a boffo post from Dr Eric Cole over on Substack. This one is on skills CISOs need.

These will sound familiar to our blog readers!

We're going to go beyond Eric's post to discuss three aspects of CISO skill: what they should be, how to find them among your applicants, and how to build them for yourself. 

We're going to frame this in terms of the labyrinth. We've discussed that previously. It's not meant to be a mystery, but instead, a journey. 

Prelude: Why must CISOs learn new skills?

"Cybersecurity is no longer a discrete function. It is embedded in every strategic decision an organization makes—whether leaders recognize it or not.

When companies adopt AI, expand globally, partner with third parties, or digitize core operations, they are making security decisions by default. The question is whether those decisions are informed or accidental."

Part 1: What are these skills? As per Eric -- & us & Rich Mironov):

Skill #1: Business Risk Translation

Skill #2: Strategic Influence Without Authority

Skill #3: Systems Thinking

Skill #4: AI and Automation Literacy

Skill #5: Leadership Under Pressure

Part 2: How can you find them among your CISO applicants?

Let's presume you're a hiring manager or an executive looking to build your cybersecurity function. Bottom line, you need to do two things. First, you must insist on recruiting candidates with these skills. You cannot scrimp and save, hoping they will "figure it out." Second, you need to use a talent-based assessment. Do NOT (please!) rely on someone's resume to help you intuit that they have these skills. As part of insisting on someone having talent, you need to measure the talent they have. Once you start using your "gut" you lose because you will hire people you like, who went to the right 'elite' university, or who worked at some big-name company you admire. 

In short when you hire based on a talent assessment you know what you're getting and how to set that person up for success. When you hire based on your "gut feeling" you'll end up with a stomach ache.

Part 3: How can you build these for yourself? 

Eric says:

Spend time understanding how your business actually makes money

Reframe security updates around decisions and outcomes

Build relationships across legal, finance, and operations

Practice explaining risk without using technical language

Study leadership—not just security

We say:

These are all fine & good to an extent. There are two sets of skills here. First are business skills: learning how the company makes money, building relationships, and explaining risk. Second are personal professional skills: reframing and studying leadership. Do both!

And then there's applicant skills. Think of them this way. You're applying for your Dream Job. Question 1: tell us about yourself (talk through your resume; do not spend a lot of time here). Question 2: "Tell us about a time you learned how the company makes money; what did you learn and what did you do differently next?" That's right -- not enough to dream it, you need to build a habit of knowing this. And then there are the next few questions just like that.

Warning based on well-established behavioral psychology to those seeking to improve their skills: this is not the same thing as hoping/wishing. You need to work at it, consistently, for weeks.

Here are our final skill questions for now: 

1. Finding talent is going to take more than one or two candidates. How prepared are you as a hiring manager to hold out for measuring talent, and then hiring it as soon as your find it?

2. How prepared are you as an applicant to go to the next level?

Ask us how you can find these skills -- or acquire them.

(image credit: Kmtextor, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons)