Seventy-five percent of chief information security officers (CISOs) say that someone on their team is asked to speak in front of the board of directors or CEO at least once a year, a CEB survey finds.
Sixty-seven percent of information security professionals across all roles say they interact with a business partner outside security at least daily, a similar survey finds.
What these findings show is that information security's rise in prominence within companies is amplifying the need for soft skills alongside technical security depth. Even employees with deep technical security backgrounds must be able to explain advanced threats to a senior audience and drive investments in security.
"Anyone can do security -- just unplug the computer," the CISO at a Fortune 500 food services company put it during our research. "The real question is, 'Can we develop people who can communicate with, engage, and understand the business?' "
[If perception is reality, you'd better start worrying. What The Business Really Thinks Of IT: 3 Hard Truths.]
CEB interviewed CISOs across the globe about their most pressing concerns, and this soft skills shortage came up repeatedly.
"I need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line. But it's very hard to find information security professionals who have that mindset," a CISO at a leading technology company told us.
The global shortage of technical skills in information security is by now well documented, but an equally concerning shortage of soft skills, or competencies, has gone largely unmentioned in the public discussion. Leaders in information security are beginning to take notice, and our research lends empirical support for increasing investments in growing the prevalence of soft skills in security.
Soft skills are a powerful predictor of performance in security
Using methodology from CEB SHL Talent Measurement, we have built a scientific behavioral assessment for IT staff that measures their proficiency at 12 competencies, including soft skills such as influence and organizational awareness. Using this assessment tool, we measured competencies of more than 350 information security professionals at more than 45 organizations.
We found soft-skill competencies to be more important to performance in security than technical expertise, but significantly less prevalent. Technical certification, higher education in information security, and past experience in IT -- even when combined -- are less predictive of a security professional's performance than proficiency in competencies such as business-results orientation, decision-making, influence, and organizational awareness. Startlingly, fewer than 40% of today's information security workforce is proficient in any of these four soft skills.
Although it may seem counterintuitive, soft skills' dominant impact on security professionals' effectiveness is consistent with an evolution in information security's mandate over the past several years.
In the past, security was most often a small, back-office function that interacted infrequently with the organization outside of IT. The security team made decisions about how to mitigate information risks in isolation, typically emphasizing the reduction of risk, regardless of its impact on business outcomes. The ability to identify threats and build effective technical controls was singularly important to a security professional's effectiveness. Soft skills were considered, at best, inessential.
Much has changed. Business unit leaders saw that the security team's risk aversion was detrimental to business goals, so they started circumventing security entirely. To avoid such end-runs, most CISOs shifted their teams to a more consultative model. Today, instead of working to reduce information risk in isolation, security professionals are expected to help business leaders understand risk, balance it against business goals, and choose appropriate courses of action themselves. Technical acumen remains table stakes for the security team, but if not coupled with an understanding of business context and ability to effectively influence others, this expertise is insufficient.
CEB's analysis of the most progressive CISOs' talent-management practices reveals a common set of tactics most effective at promoting staff development of soft competencies:
Invest in coaching. Contrary to conventional wisdom, soft skills are not "innate" but can be taught -- especially through effective coaching. Managers in security should look for opportunities to show their employees how they can use soft-skill competencies to more effectively execute tasks.
Create opportunities for on-the-job learning. Formal training for soft skills is rarely effective. Instead, managers in security should look for opportunities to provide staff "stretch" opportunities that will compel them to think about business realities or communicate with a non-security audience.
Make it a team effort. CISOs saw some of the most dramatic changes in staff performance when they began discussing business and organizational context during team meetings. Creating a group discussion around how security's work impacts the business is a powerful way to change the security team's mindset.
Information security executives who invest in developing staff able to understand, communicate with, and influence the many components of their organizations will see their teams brought into key projects and decisions earlier, more often, and with better outcomes. It is this embedding of security into organizations' processes that will be key to protecting information in an increasingly volatile and crowded threat environment.
Need to broaden your security team's business-tech acumen? Send them to the one-day InformationWeek Leadership Summit, Sept. 30 in New York City, at Interop New York. Use the half-off promotion code BLSUMMIT.