Content area
Full text
ABSTRACT
While many researchers have investigated soft skills for different roles related to business, engineering, healthcare and others, the soft skills needed by the chief information security officer (CISO) in a leadership position are not studied indepth. This paper describes a first study aimed at filling this gap.
In this multimethod research, both the business leaders perspective as well as an analysis of CISO job ads is studied. The methodology used to capture the business leaders perspective is via a Delphi study and the jobs adds are studied using a quantitative content analysis.
With an increasing threat to information security for companies, the CISO role is moving from a technical role to an executive role. This executive function is responsible for information security across all layers of an organisation. To ensure compliance with the security policy among different groups within the company, such as employees, the board, and the IT department, the CISO must be able to adopt different postures. Soft skills are thus required to be able to assume this leadership role in the organisation.
We found that when business leaders were asked about the most important soft skills the top three consisted out of 'communication', 'leadership' and 'interpersonal' skills while 'courtesy' was last on the list for a CISO leadership role.
Keywords: Soft Skills, CISO, cybersecurity, competences
INTRODUCTION
In todays' world, IT is everywhere. Organisations can no longer do without IT, and digitisation within organisations is ever accelerating. New processes, services and collaborations are the results of this digitisation (The Open University, 2019). This dependence on IT also creates new threats, such as misuse or even abuse of information (systems), as stated by the European Union Agency for Network and Information Security (ENISA, 2019, p. 9). These threats and subsequent new legislation, such as the GDPR (Council of the European Union, 2016), forces organisations to have a better grip on their information security.
In a single organisation, control of information security is still the task of the IT department and the responsibility of the chief information officer (CIO), whereas in other, more information-security-aware organisations, the information security programme is the responsibility of the CISO (IGguru Information Governance News & Community, 2019), who reports to the chief executive officer (CEO).
The CISO Manifesto...