Page 22 - Cyber Warnings
P. 22
The CIO discuss information security leadership
Recently, I got to ask members of the CIOChat about their CISO colleagues. To be fair, this was
an above board and positive discussion. And their guidance should be helpful to all CISOs
especially those wanted to build more effective relationships with their business counterparts.
CISO Communication Skills
Ed Featherston, Vice President for Cloud Technology Partners, started this discussion. Ed said
communication skills is a must have for today’s CISOs. He said that effective CISOs must have
the ability to explain cost/risk/benefit in business terms to get buy in and support. Chris
Petersen, an IT consultant, agreed with Ed and asserted that all C-suite personnel should be
effective and transparent communicators. Josh Wright, Chief Technical Architect for PwC, said,
however, that we have to educate CISOs.
They need to understand that “not knowing how the sausage is made doesn't make people
dumb, it makes them vulnerable to bad decisions”. EG Nadhan, Chief Technical Strategist at
RedHat, agreed with Josh by saying that security experts are notoriously bad at talking to
normal people.
At the RSA Conference, Seth Meyers, the comedian, even made a joke about this problem by
saying it must feel good being at conference where everyone actually knows what you are
talking about.
Steven diFilipo, CIO for the Institution for Transformational Learning, didn’t disagree with the
sentiment of Seth Meyers. diFilipo said “a CISO that communicates risk in a manner that does
not matter to others will not have their burden for long”. Peter Salvitti, CTO for Boston College,
extended diFilipo’s thought by saying there is no such thing ever as "over-communicating" risk,
compliance, and governance.
CISO effectiveness is tied to their creativity in communication”. Steven Fox, Senior
Cybersecurity Officer for the US Department of Treasury, shared here by saying that most of his
customers see opportunity where his team sees risk. Featherston confirmed Fox’s thinking by
saying “security balance/tradeoffs is like walking a tightrope over tank of hungry sharks”. CISOs
need to get business people to understand the risk of falling.
For this reason, Featherston says a hallmark characteristic of a competent CISO is the ability to
clearly and effectively communicate complex security ideas.
Become more like a business facing CIO
Melissa Woo, CIO of Stoneybrook University, said here that good CISOs should have the same
traits as a good CIO. Promotion opportunity? These includes being a communicator, strategic,
etc. Sharon Plitt, CIO of Binghamton University added on that CISOs and CIOs must be able to
communicate risk to business partners and be able to help with identifying and managing risk.
22 Cyber Warnings E-Magazine – June 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
