Bringing cyber security to the board - what skills do you need?

Building a successful career in information security isn't just about technical skills. You can have all the knowledge of programming in the world and keep up to date with the latest developments in the sector, but if you aren't able to deal with the other aspects of the job, you'll find your progress limited.

One particular skill that will be vital for any cyber security professional is communication. And the more you progress in your career, the more important it will become. Senior personnel in this area will increasingly find themselves engaging directly with board-level executives to collaborate directly on the future direction of their efforts.

The success of these discussions can make or break a business' response to an incident, especially as threats become greater and senior executives focus more on cyber as a top business risk. However, there are still signs that while progress is being made, security executives could be doing more to educate their boards.

For instance, a recent survey by training provider (ISC)2 revealed that while more than half of executives in the UK and US say they are 'very aware' of the threat of ransomware, 40 per cent were only 'somewhat' aware of this issue, despite in being one of the top cyber security threats to emerge over the past couple of years.

What's more, a fifth of executives rated the communications they have with their cyber security teams as either poor or very poor, indicating there's still a lot of work to be done in this area.

What the C-suite needs to know

Ultimately, no cyber security strategy can work effectively unless it has support from the top. At a basic level, this means ensuring board-level executives recognise the importance of these activities and give professionals the financial resources and support they need. 

Cyber security awareness is also an area that everyone in the firm needs to take responsibility for, and this starts at the very top. If employees throughout the firm can see the most senior executives take this seriously, they will too, and this begins with education and communication.

This is a two-way street, however. You also need to be prepared to take on feedback from executives, answer questions they have and reassure them about key issues and concerns. This means recognising not only what they need to know, but also how to get the information across in a format they'll understand and respond to.

(ISC)2's research identified a few key things that business executives want to hear about from their information security teams. The top issues are:

• How do security functions work with IT to ensure backups and mitigation plans will be unaffected by attacks (38 per cent)?
• What will it take to restore minimal operations if the firm is compromised (33 per cent)?
• How prepared is the business to engage with law enforcement (32 per cent)?
• How prepared is the company to work with cyber security firms to investigate and respond to attacks (30 per cent)?
• What are the business' biggest vulnerabilities (30 per cent)?

Clar Rosso, chief executive at (ISC)2, commented: "The study gives cybersecurity professionals a window into what their C-suite cares about when it comes to the potential impact of ransomware. Knowing this, and by tailoring their ransomware education and risk reporting accordingly, security teams can get the support they need to mitigate this high-profile risk to their organisation."

Key requirements for security leaders

To address these issues, the training provider highlighted a few essential soft skills that any information security professional should have in order to improve their interactions with members of the board and secure the resources and confidence they need to do their job effectively. 

• Increase communication and reporting

The results of (ISC)2's study clearly showed executives want to see overall levels of communication with security teams improve. Overall, 42 per cent of respondents said they need more timely updates after major ransomware attacks to know if their organization was affected or if it is vulnerable, while 38 per cent stated they need clearer risk assessments in order to make informed decisions. As such, professionals need to show they can be organised and responsive in meeting these expectations.

• Avoid overconfidence

Information security pros may naturally want to project a positive outlook to their bosses, but an overly-rosy picture isn't good for anyone in the long-term. Meanwhile, if C-level executives do seem unconcerned, security pros must be able to step in with facts and figures to highlight the risks. "Be clear and realistic about the threats the organisation
faces and its ability to respond to a ransomware attack. Make the threat understandable and
Relatable," (ISC)2 said.

• Tailor your message

Being able to adapt and adjust how you deliver your reports is also vital. A chief financial officer is likely to have different priorities than the legal team, for example, so it's vital you have the skills to switch things up based on your audience. Take the time to learn more about what executives care about and make this the focus of any reports or presentations.

• Make the case for extra investment

Being able to make a convincing argument for additional staff or other resources is also vital. This requires you to have an understanding of the wider business implications of any investments, show you're able to budget effectively and be able to plan effectively for the future. Executives will need to know not only what you want and how much it will cost, but what the justifications are and what the consequences will be if the investment isn't made.

Showcasing these skills

These are skills that can only be learned through experience, and if you're overly focused on qualifications and technical prowess on your CV, recruiters may overlook these skills. Therefore, it's important to highlight your management and communication expertise at every opportunity, whether it's highlighting your career achievements so far or going into more depth during your interview to shine a light on these skills. 

In an environment where competition for talent is high, those with these skills are likely to find themselves in very high demand from potential employers for the most senior information security jobs, such as chief information security officers.

Upload your CV and browse our range of cyber security jobs today to take the next step in your career.