Information security professionals need to better understand and develop business skills - because focusing on technology alone will not command respect in the boardroom.
Security must stand on its own legs and, just like any other business discipline, it must be driven by business goals,” explains Matthew Lord, CISO at IT services provider Steria. “Hiding behind legislation and policy, and being immersed in technical detail, will not deliver value to a business. Information security professionals must acquire skills that enable them to present a business case for security articulately. While they clearly need to understand today's technology and risk, they don't need to be ‘geeks'.”
Steria runs a commercial academy, primarily for sales staff, which its information security employees are encouraged to attend. Here they gain a wider appreciation of how the organisation operates, its business drivers and risk strategy.
“Risk is intrinsic to business and every organisation has its own unique appetite for it,” says Lord. “To truly support their organisations in achieving business objectives, information security professionals must operate within the confines of that appetite for risk, which requires an understanding of the larger business, not simply security and technology.”
Today, soft skills are as important as technical skills. Information security staff need to be able to communicate the threats in ‘business language', so that the organisation is able to appropriately and adequately take the necessary measures in a timely manner. Information security staff will benefit from taking presentation and report-writing courses, which will help them gain senior buy-in to their concerns about complex security risks. They will also find that their ability to talk the talk allows them to sell in new ideas and secure additional funding, all of which will enhance their value to the organisation and respect and reputation among their peer group.
Lord adds: “Other courses can give participants an understanding of psychology and how best to pitch their arguments to different people. In fact, these are skills for life, not just for business.”
There is a growing requirement for CISOs to become generic business managers. This does not mean they must leave their technical or security roots behind, but they will need a broader understanding of how businesses operate and acquire the capabilities of senior management so that, collectively with their peers, they can contribute more creatively towards their organisations' achievements.