Emotional intelligence - the next frontier for CISOs?
Do CISOs need an emotional approach to their duties and responsibilities? Are soft skills now just as critical as technical knowledge?
Author // David Howell
Empathy and emotional understanding have not traditionally been part of a CISOs skillet. Today, however, as CISOs look to evolve their enterprise's security stance in a post-COVID-19 business environment, the approach to security as a whole must change. The addition of softer skills that focus on the human component of network security, is now just as critical as ensuring the latest security patch has been deployed. How vital these new soft skills are for CISOs, is the focus of a recent F-Secure report. The report is enlightening, as it defines how the role of CISOs has changed. As cybersecurity has shifted its perimeter to many workforces' homes, the human element of security has become imperative to understand and manage. CISOs who want to be influential leaders, must quickly mature their emotional intelligence to ensure they are fully supporting their business's workers as they navigate what can be a complex environment of digital security. F-Secure's Tim Orchard, executive vice president, Managed Detection and Response, commented: "Today, CISOs are expected to understand and mitigate a wide variety of risks, and then relay that information - regardless of how technical it is - to everyone, from boards and company employees to external security professionals, regulators, and even law enforcement. The shift to relying more on `soft' skills began years ago. However, the pandemic highlighted how CISOs that proactively work with people inside and outside their organisations can be leaders for their companies." Improving the emotional intelligence (EI) of CISOs is critical. All enterprises understand their human capital is their company’s most precious asset. In their survey of emotional intelligence in the workplace, Capgemini concluded nearly three-quarters (74%) of executives believe EI will become a ‘must-have’ skill over the next five years.
“Without solid communication skills, it's nearly impossible to be a successful CISO”
Speaking to Digital Bulletin, Bindu Sundaresan, director, AT&T Cybersecurity, explained why high levels of EI are vital if businesses are to thrive post-pandemic and remain cyber secure: "As an industry, we have seen a common problem with empathy. We work diligently to put ourselves in the shoes of the people we are trying to protect, albeit difficult sometimes.” Sundaresan continued: “Without solid communication skills, it's nearly impossible to be a successful CISO. Beyond cyber-speak, a CISO must be able to understand and explain the risks to the business operations when a security control fails. Soft skills go beyond technical skills and are essential to the successful implementation of a security program.” CISOs and EI and technical skills are now symbiotic. Businesses, their workforces and customers have all evolved. To be a successful CISO today means being in tune with their business's strategic security goals and how the human component is the foundation of those ambitions. Says Neil Thacker, DPO and CISO at Netskope: “I believe CISOs realised many years ago that soft skills are critical to their success. As soon as information security and cybersecurity appeared on the board room agenda, strong soft skills were key in explaining how the role of the CISO was critical to the organisation’s success. CISOs have moved beyond technical discussions and have become focused on the business risk and storytelling.”
New perspectives The F-Secure report made abundantly clear that the role of the CISO has changed to one of operational oversight and strategic security planning. Appreciating the levels of security anxiety many across their workforces have developed, is new for CISOs, but an essential skill to ensure security post-COVID-19 is robust, agile and comprehensive. Indeed, the report reveals 66% of CISOs clearly understand that each of them must develop the mature emotional intelligence skills required to understand better, empathise and negotiate with other people – particularly as globalisation continues apace. CISOs have often remained invisible within their companies. This is rapidly changing. CISOs are shifting their profiles to become essential contributors to the strategic planning within their companies. A vital component of this strategy is a deeper engagement with employees who need support today than at any other time in their employment with their companies. CISOs need to raise their profile and show they appreciate the concerns of their workers and are taking a leadership role to support them.
Employees are often the weakest link in an enterprise’s cybersecurity. In its report, BT makes the astute observation that when security incidents occur, do employees feel confident they can report their error without fear of discrimination.
“The pandemic has magnified the need to deploy your human firewall,” says Quentyn Taylor, director of information security for Canon EMEA. “How easy is it or someone to confess to a cyber-error in your organisation? What's the process and the payback for reporting? To what extent do leaders in the business set an example?" Taylor concluded: “Applying EI to establish an open and supportive company culture for security is critical. If there is a breach, it is important that employees feel comfortable coming forward to share their mistakes. If an error is out in the open, it can be fixed. Also, through employees sharing their experience, businesses can pool learnings from attacks and make faster progress in crafting new defences.” Also, AT&T’s Bindu Sundaresan points out that EI delivers more effective security: “Empathy allows a CISO to effectively connect with the business leaders, customers, and employees that ultimately determine the right level of risk tolerance. Without empathy, cybersecurity becomes the department of 'no.' EI is connected to security and trust at the same time.”
“If there is a breach, it is important that employees feel comfortable coming forward to share their mistakes. If an error is out in the open, it can be fixed”
Emotional security Paul Baird, chief technology security officer UK at Qualys, concludes the close emotional bonds CISO should develop with their staff leads directly to more robust and comprehensive security business-wide: “I’ve worked on both sides of the divide here, both as a security analyst and as a leader, so this topic is close to my heart. “The biggest lesson I have learned is that you can’t treat team members as solely staff members, as tools to get a job done. Instead, you have to treat people as friends, and that means understanding what makes them tick and how they make decisions. Why is this important? You have to trust them on those decisions that get made at 3 am when a potential security risk is identified that they will make the right decisions with the information that they have available.” And what of the future for the CISO? Martin Jartelius, CSO at Outpost24, acknowledges the job has radically changed but definitely changed for the better: “Organisations need a different CISO. So, who we hire for the jobs has changed, organisations have evolved to put a price on those skills, and thereby the organisations has also driven the morphosis we observe, the security guy that can actually talk to a customer without insulting them or disrupting business – who understands his part of the organisations functions and appreciate that human relationships are key to success. The role of the CISO has changed, and hence, who fills the role.”
As the security landscape has changed, so has the approach businesses have had to take to secure their workers – their remote teams in particular – and their distributed network nodes. Evolving threats need new approaches to human-based security that starts with empathetic CISOs.