Soft Skills of The Chief Information Security Officer Soft Skills of The Chief Information Security Officer

This study addresses the role of a Dutch chief information security officer (CISO) and the soft skills required in this leadership role. The overview of soft skills is the outcome of the CISO perspectives in a Delphi study combined with an analysis of soft skills mentioned in job ads. A comparison with an earlier US-based study revealed that soft skills are ranked differently by Dutch CISOs. Moreover, we found that soft skills are not clearly described in job ads – none of these ads had explicitly listed soft skills. The present study demonstrates that CISOs with soft skills are in demand. The development of soft skills starts at a young age through various social activities and is also the result of self-actuation. The practical implications of this study are that it offers insights into the soft skills required for the role and discusses best-fitting leadership styles and ways in which organisations should include soft skills in recruitment.


Introduction
IT systems or IT-powered solutions are prolific nowadays. Organisations use IT systems to support the information flows in their business processes, and IT is the primary process in digitally enabled companies (The Open University, 2019). The threat of misuse or abuse of IT systems causes high risks to organisations, and the need to protect IT systems and the information they contain has therefore increased significantly (ENISA, 2019).
A chief information security officer (CISO) is responsible for an organisation's information security programme (IGguru , 2019). The CISO manifesto defines a CISO as 'a senior-level executive who has the responsibility to establish and maintain the organisation's security program' (Hayslip, 2019), and according to Death (2019), the right combination of hard and soft skills is the key to being a successful CISO. Searching for the keywords 'CISO' and 'soft skills' in academic libraries at the HU University of Applied Sciences Utrecht, the University of Amsterdam and the Amsterdam University of Applied Sciences returned a single book: CISO Soft Skills by Collette, Gentile and Gentile (2008). This observation aligns with our problem statement that there is little to no academic research on the topic of CISOs, leadership and soft skills. Our research answers the following main research question: What soft skills positively influence the CISO leadership position in Dutch organisations with more than 500 employees? 2 Soft skills for leaders Putrus (2019, p. 29) has found that the role of the CISO shifts from a technical implementer of security hardware and software to a more business-focused executive or leader. Multiple books are available both on CISO leadership, for example Essential principles for success (Fitzgerald & Krausse, 2007) and The CISO handbook (Gentile & Ron Collette, 2016), and on the CISO leadership role, risk management and CISO positions. However, here is little to no relevant academic literature that describes soft skills in relation to CISOs and their leadership position.
Our literature review revealed a broad academic view on soft skills. Defining the term 'soft skills' is complicated and influenced by multiple factors (Chimatti, 2016), and Matteson et al. (2016) state that soft skills are often a catch-all category for nontechnical skills. Technical skills are the skills required to perform a job, and soft skills are for interpersonal relations. Moreover, interactions with people (via parents, school, sports and other activities) fuel the learning process for developing soft skills.
Van Laar et al. (2017) describe a conceptual framework of 21st-century skills (learning skills, digital skills and life skills), as they suggest that employees' skills extend beyond their professional knowledge. Solely learning hard skills or gaining only professional knowledge is not sufficient for the ideal profile of the modern employee; the addition of soft skills to the skill set is emphasised by Cano et al. (2013). Their conclusion is that on one's career journey, the development of soft skills should occur in parallel to the development of the necessary hard skills. Furthermore, the development of professional IT skills is essential, and the development of personal skills will be even more significant.
Our research into soft skills in general yielded results of Weber et al, (2011);Zhang (2012) and Mar (2016). Part of the research question of this study pertains to the soft skills that positively influence the CISO leadership position. Therefore, the soft skills identified by Robles (2012, p. 455) were chosen as a foundation, as they are aimed at business leaders. Robles' list of 10 most relevant soft skills is presented below and was confirmed by our response group. No additional soft skills were introduced by the response group.
The 10 most relevant soft skills, according to Robles (2012, p. 445), are as follows:

Methodology used and research undertaken
The goal of this research is to determine the soft skills that CISOs need to be able to attain a leadership role. For this, we used a multisource research approach (Zohrabi, 2013, p. 259) consisting of a literature review, an analysis of CISO job offers published on Dutch recruitment websites and a Delphi study with CISOs ( Figure 1).

Job offer analysis
In 2020, over the course of 5 months, eight different Dutch recruitment websites were scanned for publicly published CISO job ads. The collected job offers were the input for a quantitative content analysis (Bryman & Bell, 2015, pp. 558-559) via text coding, as described in Section 4.1. The goal was to understand the demand side of job descriptions, and these insights were used as input in the Delphi study.

Delphi study
A Delphi study was conducted in the summer of 2020 to determine the soft skills from the CISO perspective. The Delphi method is an approach to capture existing knowledge and pinpoint areas of agreement or disagreement within a group of experts (Iqbal & Pipon-Young, 2009, p. 600). The target for the response group was set at 15 participants, which is a sufficient size, according to Okoli and Pwalowski (2004, p. 18).

Composition of the CISO response group and Delphi design choices
The participants in Round 1 comprised 24 out of 31 invitees who met the criteria (CISOs in a Dutch organisation with 500 or more employees), and 23 CISOs took part in Round 2. The CISO response group works in eight different categories of organisations, such as education, information and communications, and human health, and the majority of the participants have an IT technology background. The key Delphi study design decisions are presented in Table 1.

Criteria
Choices for Delphi study Number of rounds Two rounds Reason: Round 1 was to capture the expert field input, and Round 2 was to reach consensus from the respondent group (Hasson, Keeney, & McKenna, 2000)

Consensus in the Delphi study
Consensus was reached when 70% or more of the respondents agreed on statements in Round 1 or when they agreed on the majority of their feedback in Round 2, based on The Delphi Technique: Making Sense of Consensus, Hsu and Sandford (2007).

Consensus count in the Delphi study
The use of combined consensus is based on Börger (2012, p. 157), who stated that respondents using Likert scales tend to answer moderately and avoid extreme answers. Therefore, both positive answers (agree and strongly agree) were combined into one positive answer. A similar structure was used on the negative answers (disagree and strongly disagree).

Mode of operation
Remote survey Reason: difficulty in planning the availability of CISOs to participate in a group debate during the pandemic of 2020.

Anonymity
Anonymous Reason: no need for personally identifiable information or opinions during analysis of data.

Locality
In the Netherlands, Dutch organisations with more than 500 employees are considered to be an enterprise and are expected to have a mature security organisation led by a CISO.

Media
Electronic survey Reason: ease of processing for participants and researchers.

Validation of survey questions
Survey questions were validated by Gordon B Willis' (1999) Question Appraisal System (QAS-99) and with two test rounds. DIGITAL SUPPORT FROM CRISIS TO PROGRESSIVE CHANGE

Criteria
Choices for Delphi study Reason: QAS-99 provides a questionnaire preparation checklist, and field testing individual rounds prevents unclear questions and research bias.

Socially desirable answers
The questions were structured based on a five-scale Likert question with the neutral answer in Position 3. With this construct, positive answers were in Positions 1 and 2, while negative answers were in Positions 4 and 5. Using this structure, we included both the socially desirable and the extreme answers of respondents (Börger, 2012, p. 157).

Results and interpretation
This section describes the three key areas of our research results. These are the outcome of the job ads analysis, the identified soft skills from a CISO perspective based on the Delphi study and the findings of the combined meta-analysis.

CISO job ads -a qualitative data analysis
In total, 77 CISO job ads were analysed to gain insights into the soft skills that Dutch organisations demand from the CISO role. Most of the advertisements clearly described the desired hard skills in bulleted lists. However, the descriptions of soft skills in the job ads were less clear. In the 77 analysed ads, the need for soft skills was mostly formulated in descriptive sentences and not explicitly listed. Writing and communicating appeared most frequently when analysing the job ads, for example 'Excellent written & spoken English essential. Multiple languages preferred' (ING, 2019).
Text analysis provides information on the frequency of quotations, or text elements, that align with a label (groundedness of codes). In the data analysis, labelling was applied using the soft skills identified by Robles (2012), with the addition of 'leadership'. Leadership was added because this study researches the influence of soft skills on the CISO leadership position, and the adopted soft skills list does not include leadership. Our analysis of the demand for soft skills in job ads revealed that communication is the top soft skill based on the groundedness of codes, as illustrated in Figure

Outcome of the Delphi study -CISOs
All of the CISOs in the response group (N = 24) are familiar with soft skills (12.5% extremely familiar, 66.7% very familiar) and the concept of leadership style skills (50% very familiar, 50% moderately familiar).
The CISO response group, however, values the relevance of soft skills and rated the use of variations of soft skills in different organisations and with different audiences as highly relevant. Based on the soft skills identified by Robles (2012), the participants agreed (strongly agree / agree, range of means: 1.43-1.78, N = 23) that soft skills are relevant for a CISO. Although the Dutch CISOs recognised those soft skills, they had a different view on their order of importance. They agreed on the ranking, based on Round 1, with a 73.9% consensus in Round 2 (N = 23). Table  displays the soft skills' rankings. Regarding leadership style, there was consensus among the CISO response group: Round 2 revealed that 78.3% (N = 23) strongly agreed and agreed on the question, 'do you agree with the consensus of the responders that the combination of transactional and transformational leadership is the most relevant leadership style a CISO must have?'. The transactional and transformational leadership style is based on research by Gurl et al. (2019), who relate three different leadership styles (management, transactional and transformational leadership) to users' compliance intentions.
The questions regarding leadership position, leadership style and the effect of softs skills on leadership (presented in Appendix A) were valued as highly relevant in the response group. The mean -ranging from 1.57 to 1.96 (N = 23) depending on the question -suggests that the respondents agree that the effect of soft skills is relevant for a CISO leadership position.
The CISOs in our study reached a high level of consensus (+70%, N = 23) on the relevance of soft skills in the recruiting phase. They have found that these skills are a priority in selecting the best-fitting CISO and must be described in CISO-related job ads.
The data set of the Delphi CISO response group was analysed for correlation using Spearman's rank correlation coefficient, where d = the difference between ranks and n = the amount of data points: ).
This non-parametric measure of statistical dependence between the rankings of two variables is optimal for the ordinal data set of the CISO Round 2 responses (Baarda & Dijkum, 2014, p. 121). We now discuss the two most significant, positive correlations. The correlation between the relevance of CISO softs skills and CISO leadership skills is significantly positive, as shown in Appendix B. The respondents have found that a CISO applying soft skills has a better leadership position (r = 0.721, p < 0.001). The relevance is in soft skills in general for a CISO and in applying a different set of soft skills depending on the audience. Soft skills also contribute to various leadership styles in different circumstances. With a score of 0.527 on Spearman's rho, the second significant, positive correlation is between soft skills' contribution to various leadership styles in different circumstances and the prioritisation of soft skills in recruitment. Here, the CISOs emphasised the importance of the effect that soft skills have on the leadership position, and they value the focus of soft skills in the recruitment phase.

Discussion and conclusion
To answer our main research question -What soft skills positively influence the chief information security officer leadership position in Dutch organisations with more than 500 employees? -we list the relevant soft skills below. The ranking is based on both the CISO response group and the ranking from the collected job ads (both weighted equally): This list is the outcome of the research. It is our conclusion that a CISO leadership position can be improved with these soft skills.

Practical implications
The primary goal of this study is to contribute to academic evidence regarding the soft skills that positively influence the CISO leadership position. We found that CISO job descriptions should contain clearer details regarding the necessary soft skills, taking into account the leadership style for a specific organisation. Better descriptions can improve the selection process, which in turn can improve alignment between the tasks and responsibilities of a CISO and the demand from business. In addition, based on the outcome that soft skills are highly relevant, education curricula and frameworks for personal development should focus on those muchneeded skills. Lavasseur (2013) demonstrated that hard skills are developed through education and training, whereas soft skills are acquired through self-actuation; therefore, CISO-related curricula should include a focus on self-actuation.
From the analysis of the Delphi study, we found that soft skills should be a topic when recruiting a CISO. The practical implication is that an assessment of soft skills should be part of the recruitment process and balanced with the desired hard skills.
Combining the outcome of the job ads analysis and the experts' input that soft skills should be a priority in recruitment, the conclusion is that soft skills are not clearly listed in job ads. If soft skills are clearly articulated in job descriptions, then the recruitment of the most suitable candidate as well as the development of current CISOs' soft skills will be positively influenced. Furthermore, CISOs should be selfactuated for soft-skill development (Levasseur, 2013).
The questions regarding leadership position, leadership style and the effect of softs skills on leadership as part of the first Delphi round are presented below.

Leadership style and effect
A CISO has a leadership position. These questions are to get an insight in the leadership style and position of the CISO.

Q19. Leadership styles
Are you familiar with variations in leadership styles? The correlation scoring on Spearman's rho is based on the following ratio: