Ready to Start Your Career?

7 Pressing Questions and Answers about Cybersecurity Leadership in the Modern Era

Shelby Welty's profile image

By: Shelby Welty

October 16, 2020

Of all the executive positions in the enterprise, few have evolved as quickly as the role of the CISO.

Traditionally, a CISO’s role focused on technical tasks, an approach that was sufficient in the past given the less complex and relatively slow-moving nature of cyberthreats. Today, it is a very different picture, where cyber risk is everywhere, and technology is advancing at a pace many organizations have a hard time keeping up with.

Today’s CISOs face an increasingly complex array of technical and administrative challenges: They must be able to embed security throughout the company’s operations, respond to threats rapidly, and collaborate closely with the leaders of other departments.

#1. What does encryption on lawful access mean for CISOs?

If enacted, as similar legislation has been elsewhere in the world, the lawful access bill would allow federal agents to access encrypted devices with a signed court order. A CISO’s primary role is to make such exploits impossible and, in doing so, eliminate as many potential threats facing their organizations as possible.

Many security leaders consider such a move to be an all-out assault on encryption, since the only practical way to achieve this is by programming encryption backdoors by design. In other words, it is the exact opposite to security by design. However, lawful access could also mean foiling terrorist attacks and other serious crimes, hence the need to reach a consensus.

#2. Should CISOs focus on long-term roles or move regularly between companies?

CISOs are in big demand, and there are many thousands of unfilled positions in the US alone. According to, the median wage for a CISO is $221,148, with the top 10% earning almost $300,000.

For many, there is a strong temptation to move between companies with a view to scoring a very high-paid position in a large enterprise. Moving between companies can reveal lucrative new opportunities, especially for those who have peaked in a particular company.

On the other hand, staying put can provide a greater depth of understanding of a smaller range of skills. The choice largely depends on individual incentives, and there is no right or wrong answer that can be applied generally.

Hear Ed Amoroso, CEO of TAG Cyber, in his AMA on Security Managment, cover these questions and more.

#3. What should CISOs focus on during their first year in the job?

CISOs have to focus on a wide variety of horizontal and vertical activities. Horizontal activities involve getting a surface-level knowledge and experience across a broad range of areas. The vertical activities involve going into much more depth in a specific area.

It is important to focus on both, albeit with an emphasis on leadership-related activities. CISOs need to acquire a broad range of skills, but that should not stop them from specializing either. During the first year on the job, however, it is usually better to generalize to find the optimal career fit. After all, a CISO’s role is more about strategy, communication, and leadership than about the inner workings of technology.

#4. What are the most important metrics for measuring risk?

Effectively communicating risk to the board room is one of the biggest challenges CISOs face. Many come from a technical and analytical background, and there has long been a large focus on quantitative metrics. Of course, these are important, but they do not paint the entire picture.

A proven approach is to follow the Five ‘Cs’ of measuring risk:

  • Complexity – CISOs should be focused on reducing cybersecurity complexity
  • Consequence – The consequences of an incident should be reduced
  • Conflict – There should be less conflict between cybersecurity and business strategy
  • Communication – Interdepartmental collaboration and communication must improve
  • Controls – Which security controls are in place? How do they stack up against NIST?

The above include both technical and human factors, and many CISOs assign a score to each one. These KPIs will help CISOs demonstrate the level of alignment between cybersecurity and business strategy.

#5. What is the optimal balance between technical and managerial skills?

Maintaining the right balance between technical and managerial skills is important for keeping focus in a constantly evolving discipline. Traditionally, a CISO’s role was considered a purely technical one, but recent years have seen a dramatic shift towards leadership roles. Today’s CISOs should not value tech skills higher than management, unless they want to choose a different career path in the near future.

A lot of CISOs start off in more technical roles before moving towards leadership roles. At this point, they often end up managing large teams of dedicated specialists, hence the emphasis on the management role. Specialization is still, of course, a very valuable asset, but for CISOs, it is important to have a broad understanding across many disciplines.

#6. What should people know before launching a cybersecurity startup?

Cybersecurity startups are often quick to talk about functions and features, typically placing all the emphasis on what they do and not why they do it. Given how much the industry depends on trust, transparency, and authenticity, the focus should be on the latter. If they only focus on what they do, then it is usually assumed that the motivations are purely financial.

The most successful cybersecurity startups are the result of belief and passion. For example, a startup leader might be motivated by injustice. It might even be something far more specific, such as developing a cybersecurity product for wind turbines, born out of a commitment to the environment and the systems designed to protect it.

#7. Which cybersecurity maturity models and frameworks should CISOs focus on?

There are numerous cybersecurity maturity models and frameworks to follow, making it hard to know which one to focus on. There is also a huge amount of crossover between the various models, and many are based on preexisting frameworks before being updated and changed independently. In some cases, these standards and regulations have become so convoluted that they are near impossible to follow.

The most suitable frameworks to focus on are the ones pertaining to the industry that the CISO specializes in. For example, anyone working in healthcare should have a deep understanding of HIPAA, while those working for defense contractors must be familiar with CMMI and CMMC. However, a good starting point is NIST, which forms the basis of many security frameworks in the US and elsewhere in the world.

Final Thoughts

CISOs need to acquire a unique blend of technical and leadership skills with the ultimate view of consolidating business strategy and cybersecurity into inseparable parts. With cyberthreats now facing every area of business, it has never been more important to become belief-driven, as well as both technically and business-orientated.

Cybrary helps security leaders close skills gaps and empower their teams to better tackle the challenges of today, and tomorrow. Request your demo of Cybrary for Teams today.

Schedule Demo