
Key skills for CISOs in 2025
As the cyber threat landscape evolves and regulatory demands increase, the role of the Chief Information Security Officer (CISO) is taking center stage.
According to one recent report, 100% of Fortune 500 companies and the majority of Global 2000 organizations had a CISO or CISO-equivalent role in 2023, an uptick from 70% in 2018. With cybersecurity and compliance becoming more important with each passing day, it’s all but certain that more and more organizations will hire CISOs to protect systems and keep sensitive data safe as we move into 2025 and beyond.
CISOs no doubt have a lot on their plates, as they face profound challenges like artificial intelligence, quantum computing, and fluid regulatory landscapes.
To help CISOs navigate these challenges effectively, Mattermost CMO Leigh Dow recently hosted a webinar, Building A Mission-Centric IT Organizations For 2025 And Beyond, featuring Lonnie Garris, director of information security at the Riomar Group, and Corey Hulen, Mattermost co-founder and CEO of Mattermost Federal, that was packed with tips and strategies CISOs can use to build more resilient IT operations.
During the conversation, the group also shared insights into three key skills they believe successful CISOs should possess.
1. Soft skills
As cybersecurity becomes increasingly important, CISOs play an increasingly critical role within their organizations. They’re moving out of the confines of the server room and talking to the board about the state of the company’s IT and security posture.
To ensure CISOs excel in these situations, Garris believes it’s important to prioritize soft skills, such as effective communication, emotional intelligence, adaptability, and problem-solving capabilities.
In addition to soft skills, CISOs should also be able to talk numbers.
“How do you impact the bottom line?” Garris asks. “What’s the return on investment of IT from a cybersecurity perspective?”
To get comfortable enough to do that, CISOs should familiarize themselves with popular frameworks for quantifying cyber risk — like Factor Analysis of Information Risk (FAIR), the NIST Cybersecurity Framework (CSF), and ISO 27005.
That way, “you can go to the board and tell them, ‘If we don’t implement this type of control, there’s a risk of reputation loss, and you could lose customers to the tune of $30 million,” Garris says.
2. Regulatory compliance knowledge
Regardless of your organization’s size, location, or industry, the regulatory landscape continues to evolve, becoming more complex with each passing day.
Since failure to comply with regulations can have devastating consequences — like substantial financial penalties, operational disruptions, legal action, and a damaged reputation — Hulen believes that CISOs must possess deep knowledge about all things compliance to ensure the organization’s security measures meet legal and industry standards.
While knowledge around compliance is important for CISOs of all organizations, it’s doubly so for those who work for critical infrastructure organizations.
“I think in this day and age, regulatory and compliance knowledge training is always sort of a must,” Hulen says. “If you’re in critical infrastructure, it’s definitely a must.”
3. The ability to help IT see the bigger picture
Dow believes that CISOs need to be adept at helping their teams understand how their roles contribute to the bigger picture.
For example, a Chief Security Officer might buy a whole new fleet of cameras to install in an office building; CISOs should help them understand how that action contributes more to operations than simple surveillance.
“It could be [it helps them see] how many people are in the building today, and that tells the cafeteria how much food they need to make, and how that helps save money and save costs,” Dow says. “It’s teaching people in IT roles to think in terms of, ‘How do I contribute to the operations of the organization beyond traditional IT?’”
Check out the full webinar for more tips, insights, and strategies on how some of today’s leading organizations are thinking about cyber resilience and mission-centric IT.