CISOs & Information Risk Officers – Maintaining Relevance

Cybersecurity events have had a profound impact on consumers and businesses. Board
directors and C-Level executives are demanding to know more about the business ramifications of technology and cybersecurity risk. Their goal is to make better informed
decisions regarding the use of company resources to manage acceptable levels of risk. I believe this changing risk discipline represents both opportunity and employment volatility for CISOs and information risk officers.  Some will embrace change, get appropriate training, and experience career advancement and employment security, while others will ultimately face obsolescence.  Facing expiring skills and obsolescence is probably something we can all relate to.

Skills obsolescence hits everyone

My career officially started in the Air Force in 1984 where I was troubleshooting, repairing, and programming “computers” with paper tape, card punch, and magnetic tape reading and recording devices. Paper tape and card punch machines quickly gave way to magnetic tape, which soon gave way to refrigerator-sized four-megabyte hard drives. Long ago I remember troubleshooting, isolating a fault, and replacing three transistors within one square inch! Today we live in an era where there are millions of transistors per square inch and nobody troubleshoots and replaces components on circuit cards. Those skills became obsolete within a very short time of learning them.

Like many of you in CISO or risk management roles, my career started by evolving and adapting my skills to a changing high-tech environment through multiple versions of hardware, operating systems, software applications, and information security technologies.  My first experience of InfoSec risk management was compliance-driven checklists, usually concentrated during internal and external audits.  Non-compliance was, and in most cases still is, communicated as “issues” or “exceptions” expressed as high, medium, or low risk.  In 2014, “the year of the breach,” Board directors and C-Level executives started asking CISO’s and risk executives business impact questions that will forever change how cybersecurity risk is measured, analyzed, and reported.

Opportunity or Obsolescence – your choice

The catalyst for me writing this blog has been my recent interaction with senior executives sharing their recruiting challenges, specifically related to finding cybersecurity management talent with a strong business acumen. The overall governance of cyber risk is undergoing a deep transformation. Board and executives can no longer delegate risk decisions to IT and must ‘own’ cyber risk. Organizations are looking for information security officers and risk management professionals that not only understand the technical aspects of cybersecurity, but can articulate the impact of cybersecurity events in business terms and enable effective business decision making.

One HR director shared her perception that not all security executives are apt to learn new skills to adapt to the changing environment.  One of the most important skills in “learning agility” is your ability to “see the big picture” and the change around you. How would you answer the question “what do you believe is the most important trend happening in cyber risk management over the next few years?”

How to stay relevant and valuable

Here are some tips on how to refresh your skills and continuously reinvent yourself:

Reinvention is an uncomfortable and sometimes stressful process and much of it requires self-examination, setting your compass, and learning new skills.  Don’t wait for your business peers or leaders to demand change, but instead lead it.  As Stephen Covey described in The Seven Habits of Highly Effective People, we all have to “sharpen the saw” on a regular basis.