Editor’s note: This is the fourth in a weeklong ISACA Now blog series looking ahead to top priorities in 2022 for practitioners in digital trust fields. See earlier posts looking ahead to 2022 for audit practitioners, cybersecurity practitioners and privacy practitioners.
It’s that time of the year again where people are making prognostications about what will happen in the new year. Such advice is sometimes useful, sometimes accurate, and often interesting. Career advice can likewise be hit or miss. You may remember the iconic scene in the 1967 film The Graduate starring Dustin Hoffman in which the main character is implored to invest his future into one word: plastics. I hope that my advice below about the risk landscape feels applicable to the age we are in and does not overstate the importance of any one technological development (a sure sign that you are chasing the past versus preparing yourself for the future).
The three cyberrisk priorities for 2022 I’ve outlined below are meant to help professionals level up their cyberrisk practices in the coming year. Further, even if these are skillsets that you have fluency in, they can likewise be further sharpened and enhanced to ensure that you are staying abreast of the latest in your industry and maintaining awareness and capability in technologies and soft skills. Cyberrisk is an interesting discipline as we are required to straddle two worlds if we intend to do our jobs well. The first world requires that we be conversant (if not fluent) in the technologies in use today. This would be enough work for most IT jobs, but cyberrisk also asks that we have the soft skills necessary to be able to provide insight into these technologies for the executives and board directors with whom we interface. I hope that the three priorities I list below aid you in developing yourself for the next career challenge you may face.
Priority #1: Cyberrisk Quantification (CRQ) Skills
Gartner recently published a report of its survey of board directors. One key takeaway was that 88 percent of board directors view cybersecurity as a business risk. This is an overwhelming success and we should all pat ourselves on the back. For a long time, this has been the mantra of cyberrisk professionals: making business leaders understand that cybersecurity affects their business. The good news is that they are listening. The bad news is also that they are listening. Unfortunately, there are still far too many cyberrisk practitioners who have not adopted CRQ methods to help with this translation of technology to business. This new attention by board directors is going to drive more attention around quantification methods for cyberrisk.
On one hand, we have broad adoption of cybersecurity as a business risk. However, on the other hand, many still believe that cyberrisk cannot be quantitatively measured and that purely qualitative assessments based on practitioner belief and experience are enough to satisfy this business risk. These are two trains powering full speed toward each other on the same track. These two beliefs cannot both exist at the same time. The cognitive dissonance is profound.
What other business risk is likewise immeasurable? Credit? Financial? Market? Operational? Strategic? Regulatory? All these risk practices have some perspective on peril and loss that at its core translates into frequency and magnitude of loss. To truly excel at being a cyberrisk professional in 2022 is to fully embrace that cyberrisk is a board-level concern and, more importantly, that the board will expect this risk to be expressed and managed in a similar fashion to its other risks. This means translating the various missing and broken controls (of which there are many in cybersecurity) into business scenarios that the organization cares about and that can be quantitatively measured.
Priority #2: Executive Presence (EP)
Now that we’ve established that cyber is a board-level concern, are you ready to present at that level? Can you translate statistical representations of risk to non-technical audiences? How are your PowerPoint skills? It’s well-known that executives have too much content coming their way and that we all need to adapt our communications to accommodate this. How do you translate that 30-page risk report into a single slide? How do you communicate the result of this audit in a way that resonates with the various backgrounds of your audience?
This is what executive presence is about: tailoring your communications to the audience in a way that shows that you understand their concerns (listening skills) and understanding how the words you use influence the people to whom you are communicating. There are other aspects of EP that go beyond the scope of this blog post, but it is never too early to begin working on this critical skill.
Priority #3: The Ability to Learn How to Learn
I could have listed top technologies here for my third priority. Docker, Kubernetes, Airflow, Python, etc. But how good will this list be in 12 months? The truth is that the technologies that are in use today will eventually wane in popularity and be replaced by something new. It’s our job as those who assess technological risk to be familiar with these technologies but not necessarily experts in them. If you transitioned to a risk role from a technological position, then you will know certain technologies very well. Great! But know that the longer you spend outside daily use of a technology, the less comfortable you will get. So how well do you know yourself? In other words, are you familiar with the way that you learn best and are you able to motivate yourself to do this regularly? There are a variety of ways to stay engaged in learning. Certifications compel you to complete training and learning activities, and for some (myself included), this is a good motivator. If you favor reading, there are an endless number of books and articles that can help you stay up to date. In general, however, I recommend finding a way to stay engaged with the latest in the industry and cultivate a habit of continuous learning.
Here are some of the resources that I would encourage that you explore to help yourself better engage these three priorities in 2022. First, for CRQ, there is an excellent ISACA white paper available. For EP, this ISACA white paper on board communication is a great start. For more on understanding boards, the National Association of Corporate Directors (NACD) has a wealth of information. If you want to hone your slide-making skills, I recommend the Extreme Presentation Method. There are also great books on EP that can teach you more about improving the way you are perceived. Lastly, the ISACA Cybersecurity Nexus platform has interactive training courses that can help keep you up to date on security practices and the latest technologies.
Reaching the Next Level
Preparing ourselves for the next level of our careers takes time and diligent effort. You cannot become a next-level cyberrisk professional (whatever that means for you) by attending a week-long course. It requires consistent effort in learning new technologies, improving soft skills and business acumen, and having the self-discipline to continue to do so on a regular cadence. It won’t be easy, but I know you can do it. See you in 2022!
About the author: Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC, is vp and head of cyber risk methodology for BitSight, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.