Closing the Cyber Skills Gap: Why Deputy CISOs Are Critical
In this article, originally published in Cyber Security Magazine, we explain the growing importance of the Deputy CISO in closing the cyber skills gap and advises on eight key competencies every security lieutenant needs to develop.
- The Era of the Security Lieutenant
- Mastering the Deputy CISO Role
- Security Requires the Entire Organization
- Download the Research: Addressing the Cyber Skills Gap
No matter how good a CISO is, there aren’t enough hours in the day to handle the myriad of new responsibilities that have been thrown at them. To be effective and ensure a strong security posture, CISOs need a lieutenant to head up each domain that falls within their scope.
Given all the challenges CISOs are likely to face moving into the new year – from supporting a permanent remote workforce and accelerating digital transformation to preparing for an expanded threat landscape – it is more critical than ever that they bring on strong deputy CISOs.
Table of contents
The Era of the Security Lieutenant
Every year we talk about the shortage of cybersecurity personnel, but it is a challenge that continues to put pressure on companies generally and CISOs specifically. One of the biggest reasons for that challenge in the security industry is the lack of effective grooming for future leaders. When organizations need to hire a CISO, they generally have to look outside for a candidate with prior experience in the role. If this trend continues, the industry will be hard-pressed to ever overcome the shortage of qualified security leaders.
This year, the skills gap will be especially acute for small and medium-sized businesses who cannot afford to hire or retain the right candidate. That is why finding and training security lieutenants from within needs to be a priority. Not only does it help CISOs be more successful in their role, it also ensures the organization has qualified individuals who can take the reigns as CISOs of the future. Further, that training needs to start early since it can take an average of three to four years.
Mastering the Deputy CISO Role
Deputy CISOs serve as the second in command, helping CISOs identify, track and respond to current security risks and oversee the implementation of new processes and strategy.
There are eight vital competencies that every security lieutenant – junior or otherwise – needs to master.
1. Understand the business.
Security is different for every company. It is about mitigating risk. If a lieutenant doesn’t fully understand the business’ crown jewels, they’ll waste a lot of time chasing down the wrong perceived risks. Lieutenants should spend at least a few weeks working on the front lines of the business to ensure they have a good understanding of how the organization’s systems are used in the real world.
2. Support the CISO in managing risk across security domains.
This should be a given – managing risk is a huge part of security, and deputies should be heavily involved in this function.
3. Maintain lines of communication across regions and business units.
For a long time, the security team has been siloed and kept separate from other company departments. It is time to break down those silos. Collaboration between the security team and the rest of the organization is a must, both to advance security objectives and to improve the overall health of the organization.
4. Oversee the implementation of security controls and policies.
Every security deputy should have the technical knowledge and experience to identify and oversee the implementation of suitable security controls and policies starting with basic hygiene. Identity and access management (IAM) plays an important role, and lieutenants need to take the lead to ensure assets – from people to data – are kept safe.
5. Listen to business needs and look for ways to support them.
Security should never be seen as a ‘blocker,’ but more as a business enabler. Security leaders and deputies should promote security by proactively building relationships across the organization and being able to explain how stronger security also supports business objectives.
6. Always be ready to embrace change.
Change is a constant theme in security, and professionals should never shy away from it. They should drive cultural change based on risks and employee behavior and promote security throughout the organization.
7. Understand technology, risk, security and organizational context.
Most security professionals are highly technical; however, far fewer have a deep understanding of how security fits into a wider business context. Even fewer have first-hand experience measuring, tracking and managing security risk in an evolving business environment.
This mixture of skills, knowledge and experience is critical. CISOs should choose deputies who actively work to develop these areas throughout their careers.
8. Educate the organization on cyber risk and readiness.
Breaches from human error have cost companies $3.50M in 2019 alone. These breaches can be at least partially attributed to the majority of employees’ lack of understanding about security and how their actions affect the security of the organization. Creating an enterprise-wide security culture is something all security professionals should strive to achieve, and it’s particularly important for security leaders.
Security Requires the Entire Organization
Security isn’t something that can be achieved by the CISO alone. It requires the support of the full security team and the whole business. Moving forward, we will see how organizations and security leaders will start to develop strategies for reducing the talent gap and leveraging internal talent to train security lieutenants.
The next generation of security leaders will need to take every opportunity to educate their colleagues about security best practices and cyber risks. They also need to advocate for security as an enabler for achieving business outcomes in order to help grow their own skills and ultimately protect all the entry points to their organization.
Download the Research: Addressing the Cyber Skills Gap
For additional CISO tips and strategies for closing the cybersecurity skills gap and preparing future security leaders, download Kudelski Security’s Executive Research Addressing the Security Leadership Talent Gap.