As cyber attacks multiply in number and variety, a lot of CISOs are heavily focused on the technology that defends their organizations against bad actors.
But for Ceridian CISO Colin Anderson, it’s the soft skills, rather than technical expertise, that help him to excel at his job.
“I’m not a tech guy by training,” said Anderson, who studied finance in college. “I didn’t go to school for computer engineering or computer science. I’m a people person. I’m a good communicator, a relationship builder. The tech skills I’ve developed on the job,” Anderson explained.
”When I look back at my career, and at some of my peers who are more technically oriented, I think it’s the soft skills that have helped me in my journey as a CISO.”
Connecting cyber to business
His finance degree gave him an understanding of risk, and tools to evaluate situations, Anderson said. It also gave him a business orientation that he says is critical to the CISO’s role. Good CISOs realize that they’re good business leaders, and connecting cyber to Ceridian’s business goals is the biggest challenge he faces, he said.
That means understanding the priorities of other business functions and how cybersecurity can support them. “I want to make sure that security is an enabler, and not just a risk-management cost center,” he said.
Over the years, the CISO’s role has evolved into more of a business leader, with a seat at the table where strategy is formed. That requires a broader understanding of an organization’s business than was once demanded, Anderson said.
“Not every CISO is a well-rounded business leader. Those who can excel beyond their security domain and be viewed as a business leader will have a greater impact on their organization,” said Anderson, who conceptualized CISO Connect’s Top 100 CISOs peer awards, given in recognition of outstanding talent in the industry.
Speedily changing technology
This is not to say that technology isn’t a core issue. The speed with which technology changes is one of the hardest things for any technology leader to deal with, he said. “You often find security playing catch-up to technology.”
The other big challenge these days is closing the talent gap, he adds. To help narrow the speed gap and the talent gap, he’s trying to leverage automation. “I like tools that help me take mundane tasks off humans and have my team focus on the more higher-value and people-centric work.”
Anderson followed an indirect path to the CISO’s seat. Equipped with his degree in finance, he landed a job as finance manager on Bank of America’s trading floor, but he figured out early on that the “cutthroat” work environment was not for him.
“I’m seeing the managing directors in the corner office on their second or third marriages, and second or third heart attack,” he said. “It just was not the career I envisioned for myself. So I started getting into the market data feeds that were supporting the trading floors, and then I got into the security around the trading floors.”
His disillusionment came at an opportune time – the 1990s, when security was starting to take off as different risks began emerging.
“This was really interesting to me,” he said.
After Bank Of America, he was in what he called a “dotcom blowup.” He was appointed to his first CISO role at Safeway in 2009, then left after a merger to join Levi Strauss, where he stayed six years before moving to Ceridian.
Developers of talent
Throughout, Anderson has put the emphasis on people and process more than on the technology, seeing the CISO’s role as a developer of talent. Mentoring team leaders, building on their individual strengths and investing time with them are priorities.
“Lots of people focus on the new shiny thing and think that will be a game-changer for them,” he said. “I don’t think technology solves broken processes. I look for tech to innovate, and drive efficiency and productivity. But rather than try to mold process and people around the technology, I mold technology around the people and the process.”
Another part of the formula to being a successful CISO involves keeping things simple, he said.
“A lot of CISOs are engineers at heart, and engineers at heart in my experience like to make things too complicated,” he said. “I think CISOs need to invest in relationships and communications. The technology is usually the easy part.”
Execution should be another key focus, he said.
“I think a lot of CISOs like to focus on strategy and the big-picture plan, but you can’t take your eyes off execution. It’s really easy for the wheels to fall off the bus.”
Supply chain worries
Challenges in cybersecurity have shifted, Anderson said.
Many CISOs are becoming more worried about their supply chains as organizations move increasingly into the cloud and become more dependent on partners to allow them to deliver services, he said.
Business resiliency is also becoming a bigger issue as organizations face a constant slew of attacks, he said.
“We’ve always focused on the paramounts of confidentiality and integrity and availability,” he said. “But these days, I think resiliency is even more important because the reality is, we are all under attack.”
Application programming interface is another worry. While API offers businesses a lot of opportunities, there’s a lot of risk that CISOs have to manage at a very swift pace, Anderson said.
With all the pressures a CISO faces, Anderson looks to the great outdoors to unwind. He lives in the California hills, and takes advantage of the good weather to mountain bike with his children, and hike with his wife and dog. He also listens to a lot of music and books on tape. “I like to unplug and let my mind wander,” he said.