The ability to influence
Depending on the definition of ’management’, you could argue that the CISO role has developed into a management role rather than a specialist/staff function. If we work with the interpretation of ’management’ as having the ability to influence, either by inspiring a team of specialists or by communicating the significance of information security to management and board, it would seem that management skills are very important to the success of a CISO. Stakeholder management, reporting to board of directors and executive board, the battle for resources, convincing of decision-makers, change management, etc. are some of the tasks that we have seen become a larger part of the everyday life of a CISO and the focal point of their work. This also applies to CISOs who are not organisationally placed in management or have a team working under them. They are experiencing the same challenges, and they require the same ability to influence and communicate upwards and outwards in the organisation.
Management skills have become increasingly important
In 2016, Deloitte described and divided the CISO role into four different characteristics; guardian, technologist, strategist and advisor. According to Deloitte, a CISO would in 2016 in most cases (approx. 77%) draw on the technical aspects of the role, as the guardian or the technologist. Already back then, it was discussed whether the two other roles – the strategist and the advisor – would play a more important role in the future. Deloitte describes the strategist as the person who makes sure that the IT security effort complies with the company’s strategy, and who ensures innovation and long-term change and investment plans in this field. The advisor is described as the person who, in close collaboration with the company, trains and advises employees, and who constantly influences decisions related to IT security with qualified knowledge of consequences and implications.
The above traits are included in most management roles, and this supports the thesis that the CISO role has grown into a management role. From our daily dialogue with CISOs, it is our impression that what surprises and challenges them the most is the amount of energy and time they have to spend on: influencing and working the organisation, getting the necessary resources, creating the necessary peace to work, ensure the proper reporting, getting management to appreciate the actual maturity and risk situation, and generally making sure to be involved where their knowledge is required, such as in business development and digitalisation strategy.
In a previous article, we have defined the areas of responsibility of the CISO as follows:
A CISO is responsible for establishing, ensuring and maintaining the company’s vision, strategy as well as programmes and systems that ensure that the company’s data and technologies are always adequately protected. A CISO is expected to personally, or with a team, identify, develop, implement and maintain processes across the company’s value chain that reduce risks related to technology.
The areas of responsibility cover everything from incident response, establishing standards and checks, ensuring the proper management system, preparing and implementing policies and procedures as well as ensuring the required compliance.
But how much time and energy do the CISOs really spend on these pivotal and important areas of responsibility that they have been hired to handle – and how much of their time is really focused on organisational elements that are necessary in order for these tasks to even be available?
We have started a dialogue with CISOs in Denmark in order to learn more about how much time CISOs spend on working with the organisational elements of management, formally as well as informally. Including the types of management tasks that are the most time-consuming.