Survey Says… What ‘soft skills’ are Security Leaders dealing with?

The systems security profession has emerged as a discipline to where today’s information security officer must deal with a myriad of issues beyond ensuring that the proper individuals have the access they need to systems. Today’s security officer must interface with executives outside of the Information Technology department, communicate with all levels of the organization, be responsive to the Board of Directors with sufficient reporting and metrics, and sufficiently understand the available technologies which can solve business problems and enable new business processes.In order to understand the issues that were front and center with Chief Information Security Officers (CISOs), security directors, managers, or those designated with leading the information security program within their organizations, Todd Fitzgerald and Micki Krause conducted a survey of approximately 100 security leaders from small to large Fortune 50 organizations to uncover the “soft skill” issues that security officers were dealing with.

Twenty uncovered issues formed the basis for more in-depth discussion by industry leaders in the new book entitled, “CISO Leadership: Essential Principles For Success.” A subset of those issues is presented here:

Reporting Relationships

Many articles would lead one to believe that the security function has moved out of IT and to a risk management area of the organization. Truth is, in practice, as much as security professionals want to see security not viewed as primarily an IT issue, in many organizations, it still is. A full 65.2 percent of security officers were reporting into IT and only 32 percent held the CISO/CSO title.

Business Acumen

The survey indicated that business acumen was viewed as being a more important skill than technical knowledge to be successful. Understanding the business processes, underlying processes, and applications which support them creates additional challenges for the security leader in addition to remaining current in the security realm. This type of training, plus the vertical industry training, is rarely seen in security conference curriculums and must be actively gained elsewhere.

Obtaining Budget/Management Commitment

Just as it may be difficult for a security leader to understand accounting/finance terms, it is equally difficult for an accountant to understand the value that spending more money on security will bring to the business. As programs mature, and “nothing has happened lately”, the cost pressures will be there to do more with less.

Management commitment from the executives is viewed more in terms of management taking an active role through issued memos, town hall meetings, support for and participation on security councils/oversight committees, and capital and expense commitments.

Influencing/Teamwork/Political Savvy Skill

Being politically savvy, working well within teams and understanding the stakeholder’s needs and how to satisfy them are critical to long term success. The days of Fear, Uncertainty, and Doubt should be well behind any savvy security officer, as the results are short lived. With 70 percent viewing this skill as “very important” and 26 responding as “Important”, the finding that only 30 percent “always” used this skill suggest that there is room for development of this skill amongst security leaders. Since many security professionals grew up through the technical ranks, this is not surprising. The developed technical security skills are more left-brain, analytically-oriented vs. the right-brain relationship skills necessary to work with others. Influencing individuals to view security as a business investment instead of a business punishment or necessary evil is a challenge.


Every organization has one, whether through planned strategic actions to influence how the organization operates or the absence of direction and natural evolvement. Culture sets the tone, framework, and operational context in which the security leader must operate. This “way of life” is determined by the tone at the top, geographical dispersion, degree of regulation, risk-taking stance, openness to change, industry vertical, creative vs. controlled environments, and the views, attitudes and feelings of the people within the organization. Security officers need to understand the dynamics of the organization within which they operate in order to integrate security with the business objectives.

Many insights were gleaned from the challenges of the security leaders, which lead to additional themes of soft skill CISO traits, impact of standards/frameworks, strategic/tactical concerns, leading change, technical knowledge, maturity of Information Security, impact of audits, end user acceptance, organizational awareness, thinking on your feet, policy/procedure enforcement, metrics, and project management. These ideas and more are explored further through the insights of practitioners and leaders in the field in the aforementioned book.

The ascent of the security leader to higher organizational roles within the organization has mandated the development of these ‘soft skills’ to ensure continued successful delivery and longevity of the information security program for the enterprise.

Post a Comment

Your email is never published nor shared. Required fields are marked *