The main added value of a CISO is discussing the right topic with the right audience using the right language. KC: Do there need to be more female and nonbinary gender CISOs? If so, how can we attract more to the role? How can we persuade C-Suites to hire women and nonbinary gender people for the position? MC: The current representation of women is not enough and does not encourage young female cybersecurity professionals as they do not see the future evolution of their careers. I think the situation is actually bad in general, and we need to work much more around inclusion and diversity in the industry. Gender should be equally represented if possible in the teams. Our communities and societies are not built with the same profiles or clones. We are where we are in the world because we are different, and those differences allow us to create amazing things and advance towards a greater world. In the case of cybersecurity, it would be a safer world. Attracting more diversity into cybersecurity is a popular topic nowadays, but how we actually act on is a slightly less discussed aspect.
"I think people tend to believe that a CISO needs only technical skills or needs only leadership skills. I would say that the best CISO profile would have a holistic understanding of the different areas in charge with a very good leadership acumen." –MC
Showing success stories from various lifestyles and work styles opens new perspectives and brings new opportunities. The second practical aspect would be to judge a profile by the skills and realize that we do have unconscious biases. The hiring managers should have a discussion with the CISO or the team to understand what they really want and need. Are those driven by just some biased thoughts, or are those driven by key skills required to build a successful team? The third point that I would address is building a positive culture within the security team. I am now seeing more and more amazingly diverse and successful teams where the culture of “thank you,” “please,” “join us for lunch” are common team activities and kindness actions rather than individualism. KC: Excellent! Do you think the responsibilities of CISOs will change as time goes on? MC: The CISO role will evolve, and it is already taking a turning point, as the industries do not consider the CISO technical only anymore. The role of CISO must be defined as a business enabler. To achieve that in particular, it means that the CISO can include himself or herself within the company's operations and understand how it works. I always like to say have "a day in a life of." This helps tremendously to understand the others' jobs and therefore consequently change the culture and build an efficient cybersecurity programme. I personally involve myself in all business aspects. I want to understand how it operates, how salespeople work, why certain technical decisions have been made and so on. That allows me to have that holistic approach. Thus, the future CISO will need to have a security, technical and business understanding with a pragmatic and innovative approach to new emerging technologies. Understanding the business priorities, as well as the business risk appetite are crucial to move forward and understand where liabilities stand. KC: I've worked with you before, and you clearly have a lot of knowledge about security policy. Is there anything else you'd like to add before we go? MC: The general advice as a young CISO I would give to other security professionals is that there is an extremely important aspect about security that big companies tend to ignore. The cultural and working diversity between countries is very important to consider in order to build a resilient organization. The best CISOs will embed cybersecurity into the foundation of new initiatives and include them in the various organizational processes. Bringing usability, security, culture and business efficiency as the main goals of the CISO. It is not an easy task and the CISO job requires a lot of hard work, strategical thinking, and sometimes fighting the right thing to do before going live. I love my role, I try to always help bring that balance and sometimes, unfortunately, it is not that simple nor achievable. However, when your team understands your intentions, they will definitely support you.
"In the first place, bringing in different success stories is key. There is no one unique way to succeed in a cybersecurity role; there is no one unique path to education. There are commonalities, but that doesn’t define the norm especially in an industry like cybersecurity where many are self-taught." –MC
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.