From tech expertise to leadership: Unpacking the role of a CISO

In this Help Net Security interview, Attila Török, CISO at GoTo, discusses how to balance technical expertise and leadership and how he navigates the rapidly evolving technological landscape.

We also delve into the key challenges faced in communicating complex security issues to stakeholders and maintaining trust amidst declining trust in institutions.

In your opinion, what are the key characteristics of an effective CISO? How do you balance technical expertise and leadership skills?

A CISO needs to wear many hats across the business and juggle many competing priorities. They need to be a customer support representative, a product partner, a manager, a visionary, a strategist, and of course, a security expert.

I have found that some of the most important characteristics are to be friendly, honest, and emphatic. Being a friend to the organization and people you work with, rather than leading with just policies and demands, is critical to getting more done and the success of your team.

It may sound counterintuitive, but a good CISO must get out from behind the technology and understand the people they are serving. Of course, you must maintain a high level of technology knowledge, but if you find yourself only sitting in front of a firewall console, you’re probably in the wrong job.

Given the rapid rate of technological change, how should CISOs approach building an organization’s security posture?

With the more-rapidly-than-ever changing environment, you can rarely rely solely on multi-year strategies or multi-quarter roadmaps. You must be ready for constant change and quickly adapt to it.

CISOs must create a security strategy built around anticipating outcomes and a feedback loop to gather information during incidents, assessments, threat analysis, and research. The information gathered should then be turned into metrics which will give insights into if the strategy is working, and, if necessary, how to evolve the strategy.

In today’s business environment, a CISO must communicate complex security issues. How can you ensure you’re understood by all stakeholders, including those who aren’t as tech-savvy

Though CISOs play a lead role in managing an organization’s security posture, it is important that cybersecurity efforts manifest as a shared responsibility across an organization. From new hires to the C-suite, cybersecurity should be a communicated priority for all employees. Everyone should care about security, and if they don’t do it, it’s because they don’t understand something about the situation or ask.

Just as much as a CISO needs to learn about the business, they must also educate other business leaders on what’s out there and the landscape of evolving threats. Then, it’s important to connect these threats and the solutions back to the goals of that part of the business so teams can fully understand the role they can play in mitigating risk.

With declining trust in institutions, how can CISOs help organizations build and maintain trust among customers, employees, and stakeholders?

It’s important to prioritize security and proactively communicate initiatives with stakeholders. However, building and maintaining trust isn’t a one-size-fits-all approach. CISOs must possess the ability to effectively communicate and educate all stakeholders about the specific cyber risks relevant to their organization while also proactively outlining how it is prepared to address those risks. Implementing robust, proactive security measures and emphasizing the protection of sensitive data will reassure customers, stakeholders, and employees alike that their information is secure. Swiftly acting on emerging and existing security threats also reinforces trust and demonstrates an organization’s proactive efforts in addressing threats before they become detrimental.

The role of a CISO encompasses a wide range of responsibilities, including compliance, disaster recovery, and stakeholder management. How can a CISO effectively manage such a diverse portfolio of tasks?

There are three ways I manage competing priorities: Focus, transparency, and accountability. A CISO must focus on the tasks that have the biggest ROIs, and not get distracted by the noise. Leading with transparency will make it clear to everyone within the organization why we are making changes or asks. And finally, security posture and response can only be improved when accountability is clear. And not just accountability of the security team, but accountability from across the organization where everyone understands the responsibility.

By making data-driven decisions and conducting continuous risk assessments, CISOs can strategically allocate resources to high-priority tasks. The delicate balance lies in leading these various aspects while leveraging the expertise of a skilled team to ensure comprehensive security protection across the organization. By staffing a knowledgeable team of security experts and empowering them to take ownership of their day-to-day responsibilities, CISOs can focus their time on providing strategic and executive-level oversight on key issues.

Given the constantly evolving threat landscape, how can a CISO maintain its technological expertise while focusing on leadership and collaboration?

From a leadership standpoint, the CISO is so much more than just security. It’s truly a business leader position, they are collaborating with the other business leaders to share the same resources. CISOs must understand the organizational goals, the customer needs, and the capacity of each team to prioritize security in collaboration with product management, IT leaders, CTO, etc.

CISOs must maintain fundamental technology knowledge but rely on the team’s subject matter expertise for deeper technical aspects. It’s important to find the right training, like CISSP, and vendor-specific certifications, without overwhelming yourself.