As cybersecurity has changed, so has the CISO role. ‘The CISO Evolution: Business Knowledge for Cybersecurity Executives’ aims to help security leaders succeed in the C-suite.
The role of the CISO continues to grow in terms of information, dynamics and importance – especially in this time of digital change. Businesses today need online security to survive, and today’s security guidelines need to support business goals in order to be effective.
Along with their book, The CISO Evolution: Business Knowledge for Cybersecurity Executives, authors Matthew K. On the same subject : NCET Biz Tips: Juxtaporing art to grow your business. Sharp and Kyriakos “Rock” Lambros aim to provide a roadmap for CISOs running the C-suite by providing lessons in business principles through a safety glass.
Here, Lambros and Sharp discuss how CISOs can find their place in the conference room by understanding business and connecting to cybersecurity strategy. They also explain why not all CISOs need an MBA, how to be more effective at negotiating and dealing with an ongoing talent shortage.
Editor’s Note: This article has been edited for length and clarity.
Why did you choose to write CISO Evolution?
Matthew K. Sharp: In 2020, I gave a talk at RSA. Rock was there in a show of support, but no one came. It was a low standard for me. But, since we were the only ones, we started thinking brainstorming and talking about things like, ‘How do you budget meaningfully for cybersecurity in the cloud when the cloud is strong?’
We also found that we kept going to conferences and hearing so -called thought leaders making silly statements about speaking business in business language. But, if you asked one of them, ‘Well, how do you do that?’ you’ll get the glimpse because most cybersecurity leaders in the country have no idea.
So, Rock – instead of saying, ‘I’m going to keep myself from this idiot who can’t show anyone else on his RSA desk’ – said, ‘These are great issues. Let’s write a book. ‘
What are some highlights from CISO Evolution?
Kyriakos “Rock” Lambros: The beginning of the book presents business principles, such as the analysis of financial statements, what is EBIT [income before interest and taxes] and EBITDA [income earn before interest, taxes, deductions and deductions] and why you should worry, as a safety leader. We often find that kind of professional marketing team doesn’t exist in our business, which is a shame. And that’s the foundation on which we can understand how organizations generate value and how we conduct those discussions in boardrooms.
Note: Communicating about the protection plan is the first step to making yourself, as a CISO, relevant in the conference room. If you don’t understand how to value your business, then you can’t stand in front of someone and say, ‘It adds value,’ or, ‘It doesn’t add value.’
Does CISO today need MBA degrees?
Lambros: We both have MBAs and Matt – fully featured. It worked for me, but not everyone needs to go out $ 60,000 to $ 100,000. It is a personal choice.
One area of CISO Evolution is that not all CISOs need a full MBA to succeed. We tried to honor our own MBA and our 40 years of combining experience in the industry into a career path. A fraudulent document to help cybersecurity leaders bridge that gap.
You write about the art of negotiation, saying ‘It’s not just getting what you want. It’s about getting what you want and making the other party feel good. ‘ What is your advice for CISOs who don’t trust their interviewing skills?
Sharp: Whenever you propose to change the status quo, you are in a negotiation. That means you can negotiate prices with your customers, traders and other partners in the business about resources and time, or even negotiate to retain core talent when you can’t offer promotions. If you think you’re going to be a CISO but don’t make a change, then you’re in the wrong business.
Ultimately, influences are the name of the game. We want to send you into the room equipped with all the necessary tools and guidelines you need to have a successful conversation. You need to make sure you have established meaningful relationships, built a partnership map and developed a strategy to maximize your impact. Negotiation itself is only the last part.
I really appreciate the way [former FBI agent] Chris Voss handled negotiations. He argued that empathy and mental curiosity give you the ability to sit on the same side of the table with the person you are dealing with and solve a problem. And so, rather than trying to motivate this person – resulting in lose -win or win -win negotiations – it seems better to work together.
I don’t think the traditional, me-versus-them paradigm is the appropriate way to think about negotiations, and hopefully, that’s what comes with CISO Evolution. Negotiations are about partnering to pursue success together and gaining the persistence to do some of the unsatisfactory things to achieve the best outcome for the business.
You mentioned retaining talent. How can CISOs effectively build their teams amid the continuing lack of online skills?
Lambros: Your network is the number one place where you will discover new talent. Be developed. Go out into the community, and build relationships.
You can’t give it to HR departments – they’re not connected to the cybersecurity community, where your top talent will come from. They understand what you put on paper and how to check boxes, but they don’t understand cybersecurity and its requirements.
Sometimes, you will have conflicts with HR departments. They often need degrees in college for certain job descriptions, for example, but some of the smartest and most talented people we’ve worked with in cybersecurity don’t have degrees. They have degrees from the school of hard knocking, and I take them any day. An HR expert might say, ‘Hey, in order for you to be a fifth -level employee in our organization, you have to have a brand of that person’ – it can be woven under the water; they just have to check that box. I think that’s bad in the labor market we have right now.
Sharp: Also, as a CISO, just informing the talents is really important in terms of your influence in the field. Talent monitoring is a priority for the committee because, for businesses struggling with technological change, capturing and retaining talent is a challenge. It’s not a technology because the public cloud is available. So, again, you need to understand how your security program affects the general public.
Last published in July 2022
Dig Deeper on Careers and certifications
How to define cyber-risk appetite as a security leader
Negotiating a golden parachute clause in a CISO contract
5 ways to manage the cybersecurity skills gap
CISO as a service (vCISO, virtual CISO, fractional CISO)
