Having helped build out many SecureWorld conferences, I have come to realize—likely to no one's surprise—that the best cybersecurity leaders indeed have some technical prowess, but it is their soft skills that make them exceptional leaders.
The CISOs, BISOs, VPs of security architecture, CSOs, directors of information security, directors of governance, risk and compliance, deputy CISOs, chief risk officers, and others who provide thought leadership on SecureWorld agendas all have a few things in common: great communication skills, artful delegation abilities, business acumen, and a genuine care for the importance of what they do to keep people and systems safe.
Michael Gregg, the CISO for the State of North Dakota, speaks across the country, including keynoting at SecureWorld Detroit on Sep. 19 and at SecureWorld Dallas on Oct. 26. It's easy to see why he is successful. He is thoughtful, calm, and expects the best from his people while supplying the resources needed to get the job done with more efficiency and effectiveness than it was previously done.
His common sense approach to cybersecurity has made North Dakota a leader among state and local governments with unique challenges as public entities. He has created partnerships among fellow government peers—from cities to counties to federal to schools—with the private sector, and with vendors. It's no wonder after he speaks he has a line of folks waiting to learn more from him, or just to shake his hand and say thanks for his information sharing.
A recent blog by Frank Domizio titled "The CISO Role: Beyond Technology" explores exactly what I am talking about. As the author writes, "There's a softer side to it—one that revolves around people, relationships, and communication."
It's about trust, communication, collaboration, adapting in the face of change, embracing failure, and teaching the next generation of cybersecurity professionals.
Krista Arndt, CISO at United Musculoskeletal Partners, spoke about failure at SecureWorld Denver last month and will again give her inspirational keynote at SecureWorld Dallas on Oct. 26. She talks about a drag racing accident that could have taken her life and put perspective on life, family, and her role as a cybersecurity professional.
The only way forward is to learn from mistakes and failures (in her accident's case, a clip that was not put back in the breaking mechanism that sent her and her car hurling through the safety sand and net at the end of the drag strip). Those are opportunities to get better, not excuses to give up or avoid future failures.
Al Lindseth, Principal, CI5O Advisory Services LLC, will speak on effectively communicating to the board at SecureWorld Dallas on Oct. 26. That's a soft skill that even the most adept CISOs are still trying to master. But it is vital as they fight for cybersecurity budget, try to explain risk, and explain the importance of line items such as security awareness training, blue, red and purple team exercises, and more.
Here are some specific examples of why soft skills are important for CISOs:
- A CISO who is able to communicate effectively can explain complex security concepts to non-technical stakeholders in a way that they can understand. This helps build awareness of security risks and get buy-in for security initiatives.
- A CISO who builds relationships with key stakeholders can gain their support for security initiatives and get them to comply with security policies and procedures.
- A CISO who is able to lead and motivate a team of security professionals can create a high-performing team that is able to effectively protect the organization from cyber threats.
- A CISO who is able to manage change can implement new security measures in a way that minimizes disruption to the business. Security measures can often be complex and disruptive to business operations.
- A CISO who is able to negotiate and resolve conflicts can effectively resolve disputes with stakeholders and get them to agree on security solutions.
- A CISO who is able to manage risk can make informed decisions about how to allocate cybersecurity resources. There are always limited resources available for security, so CISOs need to be able to prioritize their spending.