FotolEdhar - Fotolia

CISO soft skills in demand as position evolves into leadership role

Cybersecurity industry veteran Joan Pepin discusses how the evolution of the CISO role has made soft skills essential to thrive in the information security field.

With two decades of experience in the information security field, Joan Pepin has witnessed firsthand how the business roles of chief information security officers and other cybersecurity leaders have changed. According to Pepin, the CISO at Auth0 Inc., a company based in Bellevue, Wash., that provides authentication and authorization as a service, one big shift has been the need for empathy in order to thrive in cybersecurity leadership positions.

For CISOs, this means soft skills are a must as they try to balance the company's ability to achieve its business goals with making sure the business processes used to get there are secure. In part two of this two part Q&A, Pepin discusses how CISO soft skills have become much more in demand as the role has evolved.

What are the CISO soft skills that are most in demand?

Joan Pepin: Empathy. You need to be able to understand what engineering is trying to do and what their goals are, what marketing and procurement are doing, what the customer is trying to do and what their goals are. If you can't empathize with what their goals and challenges are, you can't influence. So much flows from that: Your communication skills and communication style will flow from empathy.

You also need to be understanding of what we call the data subject -- the consumer who doesn't understand what's happening to their data -- and having empathy for them, as well as empathy with all the stakeholders. It's empathizing with everybody and making the wisest decision to push for the best outcome you can.

Joan PepinJoan Pepin

How has the CISO role evolved?

Pepin: In the old days, the CISO, I was told, was just an advisory position. Now, my roles, the roles I've held in the last seven years or so, are much more than advisory. Advisory is part of it for sure, but there's a lot more leadership involved.

I see it becoming more and more a position reporting directly to the CEO, a truly C-level position. I see CISOs have vice presidents reporting to them going forward. And I think my job as being increasingly described as chief ethicist, asking: What's the right thing to do, and not just what's the most secure thing to do? What's the proper behavior? What do customers expect from us? If a compromise has to be made, what's the most ethical compromise to make?

You were recognized as a female executive of the year, and you've advocated for workforce diversity. Why does diversity in the information security field matter?

Pepin: It's important for at least two different reasons. One, from a practical perspective, I've talked a lot about the skills gap. If we're blocking 50% of the planet from joining this career path, we're really contributing to our biggest challenge. Then the other part: Women across the globe are economically oppressed, and information security is a lucrative field. I want to get women into the information security field so they can be financially independent and make a good living.

And it's about having true diversity of thought. We can talk about different thinking styles and different ways of approaching problems, and having a diversity of thought. It's about having a different life path, thinking about things differently your whole life that will give you a different thinking process.

I spend a lot of time talking to customers, as well as advocating for them from a security perspective.
Joan PepinCISO, Auth0

What are you doing to change the low representation of women and minorities in the cybersecurity field?

Pepin: You have to be able to have the tough conversations, ask the hard questions, be in an executive meeting with the CEO and look at the scorecard and take the angry stares when you say, 'This is important,' and ask, 'What does our pipeline [for talent] look like? What are we doing to address that and how are we addressing that? Are we advertising in these places [to attract diverse talent]?'

And then you have to be willing to walk the walk, make changes to your own recruiting processes, to ask, 'Are we dissuading women and minorities from applying to positions because of how we wrote the job descriptions?' It's thinking about your biases as your sort through the application list, being willing to hire and promote women and minorities. It's constantly asking yourself, 'Would I ask this question of a white guy?' It's work, and you have to be willing to do the work.

Does your work involve your company's customers as well?

Pepin: I am extremely customer-facing. I spend a lot of time talking to customers, as well as advocating for them from a security perspective. A customer might want a feature that makes them less secure. The old saying is the customer is always right. Yes, they're right in what they want as the outcome. But their thoughts about how they get there might make them less secure, so it might not be the best thing to give them what they want. There might be some negotiation there.

Dig Deeper on Risk management and governance