Analyst Chat

Analyst Chat #141: What Defines Modern Cybersecurity Leadership

How do you implement modern cybersecurity leadership between compliance, threat protection, privacy and business enablement? To answer this question, Matthias invited the CEO of KuppingerCole Analysts, Berthold Kerl, who was and is active in various roles as a leader in cybersecurity. Together they explore questions such as how important the knowledge of basic cybersecurity technologies is and what the necessary management tasks are in an organization?


Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst and the director of the Practice Identity and Access Management at KuppingerCole Analysts. My guest today is, and this is an unusual fact, is Berthold Kerl, he is the CEO at KuppingerCole Analysts. Hi, Berthold. Good to see you.

Thank you for having me.

It's great to have you. And we are doing this for a very, very good reason. We are approaching the Cyber Security Leadership Summit, the CSLS 2022 in November in Berlin and virtually everywhere because we are doing that also as a virtual event and the name of this event is Cyber Security Leadership Summit. And I want to talk to you as our cybersecurity leader and as a cybersecurity leader in the past. What is cybersecurity leadership for you as an overview? What is important here?

Yeah. Thanks for the question. A very good question. Of course, we were analyzing the events markets and we really wanted to create an event which is targeted at the top level, right? So what are the topics which are interesting for the top level? That’s of course, What are the trends going on globally? And what are the challenges following out of that for organizations, for enterprises, for government, etc.? What kind of help can we get from the ecosystem? And yeah, how to take the right measures from the top to the bottom to counter these challenges. This is what the conference is about.

And so, if we talk about leadership, who are the people that need to be involved? Of course, the CISO is an obvious target to talk to, but who else in an organization is representing cybersecurity leadership, in your opinion?

Yeah, I think the cybersecurity topic has come a long way, right? I mean, in the past, it was it was a very “nerdy” topic done by some IT security people in the cellar of the company. But that has completely changed. Now, cybersecurity is everywhere. It's relevant to every position in the business, in the infrastructure, but of course, also in the board. Many board members understand IT and cybersecurity is very important to them. And even the supervisory board is talking about these topics. And the CISO, who is the typical leader in that regard, has to be able to talk to all these people in an adequate way.

So if we talk about the CISO, but also beyond, how important is technological know-how? How good do they need to be with IT security?

Yeah, most CISOs I know, they have a profound IT background. So that's, of course, very important. And I on the other hand, I don't know any CISO who has no technical understanding of course, Younger CISOs, they have even studied information security or cybersecurity. And that's a new trend, of course, because cybersecurity at university is relatively new. However, a CISO typically is not a nerd. A CISO has to be able to communicate in an adequate way to a lot of stakeholders and that is one of the important differences to what I would call a nerd.

Absolutely. And when we're talking about leadership, what constitutes leadership then beyond the IT know-how, beyond cybersecurity skills?

Yeah, as I already said, communication is key. So when you think about who are the main stakeholders of such a leader, it is the board, it is the supervisory board. But it's also the clients, they are increasingly interested in security topics, a leader has to be able to talk to partners, especially software vendors, for example, regulators, think about regulators, how important that is, or police and law enforcement. And not to forget the employees. And all of these people, they may have different backgrounds and not all of them understand tech. So a CISO has to be able to communicate in a way which can be understood by the respective target group. And I would say that's one of the key capabilities a modern CISO needs to have.

And when you say they are talking to the individual stakeholders inside the business and outside of the business, this networking within the organization, especially in the role of a CISO, which is more a control feature or control role is of a specific importance. So knowing the right people to solve existing challenges is then key.

Absolutely. Absolutely. I mean, so first of all, we are talking about leadership. So when we talk about leadership, obviously the employees are a very important stakeholder. First of all, of course, the his/her own staff, obviously, a CISO is has to be the leader of his own people. That goes without saying. But of course, all employees of a company are an important target group, of course. But then he has to liaise with a lot of his peers because a lot of topics cannot be solved by the CISO alone. So think of all the policies which need to be negotiated and agreed with compliance. A big and important partner would be IT. Obviously the CISO has to talk to IT about building security from start influencing the culture there, but also motivate IT for example, to put everything in place so that patching, for example, can be automated. And the underlying prerequisite for that, again, is higher standardization and many, many other things. Of course, the business is an important stakeholder, so the CISO has to have a core understanding of the business. And business is aware that security is not negotiable anymore. A lot of clients pay attention to these security topics. But of course, the business is also concerned about convenience and user friendliness. So the CISO also has to find a way to balance these two requirements intelligently, which is very difficult. We all know that.

Other examples are data protection. I think if you think of topics like data classification, you see how it all hangs together. Audit, it is the third line of defense in security, typically the second line of defense. So on the one hand, audit has as an eye on security. So that security does its job as well. But security is also a helper of audit on a more permanent basis. Communication, when you think of social media or when you think of the new topic, which is currently coming up, disinformation, here, it's obvious that you have to talk to communication, the communication department. HR, on the one hand, I already mentioned that security is relevant for all people. So when you think of employee security awareness, you have to talk to, to the HR department here. But of course, security is always short on talent. So therefore you also need to work with HR to identify new talent and recruit it. And so on and so on. So you see it's a very complex and a very interconnected role in these days. And the modern CISO has to be able to talk on all levels, in the right way.

Does this also means that the CISO and the cybersecurity leadership in general has become more visible? Is it leading by example? Is it being some kind of evangelist having this visibility within the organization and beyond?

Absolutely. So I do see a lot of CISOs not only act internally, and I think the CISO is now known almost by every employee. I give you two examples of course, we do see now CISOs also talking to clients of organizations, so to give the clients, first of all, the confidence that information security is treated seriously in these organizations, because every client wants to have the confidence that their data and sometimes if it's in the financial services industry, that their money and other assets are handled accordingly. But also, sometimes CISOs help even clients to achieve a higher level of their own security. And that's also a role I've seen CISOs performing these days. So from that perspective, yeah, they are visible inside and outside. And lastly, I do see, I have seen, our first examples that CISOs even make it to the very top of the organization, to the CEO, because in some industries, information security is so important. And I already outlined the complexity of the role, which is a good preparation even for the highest level of management.

Absolutely. And maybe one final thought before we close down. We are talking about the Cybersecurity Leadership Summit in Berlin. And of course, such an event is looking at new trends. And these trends also influence the role of a CISO. Which are some of the trends that you see where CISOs will have to adapt to in the future?

Yeah, I think the role of the CSO is constantly changing and that's certainly a topic which we will cover also at CSLS, so we will of course talk about the topics which are still relevant for CISOs, and information security leaders. Cyber hygiene, for example, is falling into that category. But we will also cover relatively new topics or topics which have become more relevant in recent times. Think about state sponsored attacks or think about security in the metaverse or in Web3, which are topics which are now coming up and have to be treated by cybersecurity leaders going forward.

Absolutely. So this has been a very unusual Analyst Chat without an analyst, but with my CEO here at KuppingerCole Analysts. Just to wrap it up: Cybersecurity Leadership Summit will take place from the 8th to the 10th of November in Berlin and virtually everywhere, being a virtual event as well. Join us in Berlin, Berthold will be there, I will be there and many of my analyst colleagues will be there. The CISO council will be there. And there will be lots of interesting speakers from various organizations, including Lufthansa or the German government.

I think everyone who will come there can expect to meet a lot of cybersecurity leaders from well-known companies. So that's a very good opportunity to not only talk to me and get my view, but also to get their view of what they what they think a good leader is. And I think people can learn from that.

Absolutely. And I think one of the important aspect is networking at such an event. Of course, learning, of course, interacting, but panels and just the casual talk with a cup of coffee with the peers, this is what is of importance, and that's the reason why it makes sense to be there in person. Thank you very much, Berthold, for being my guest today. This was the first time, but it was a great episode. Thank you for attending and looking forward to having you soon in the future.

Thanks again for inviting me and good luck with future podcasts.

Thank you and bye bye.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00