{"id":6728,"date":"2026-01-28T07:00:00","date_gmt":"2026-01-28T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6728"},"modified":"2026-01-28T07:00:00","modified_gmt":"2026-01-28T07:00:00","slug":"skills-cisos-need-to-master-in-2026","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6728","title":{"rendered":"Skills CISOs need to master in 2026"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Three decades ago, when Steve Katz became the world\u2019s first CISO at Citicorp\/Citigroup, he quickly realized that his role was more than solving problems with tech. Katz had to communicate well, meet with C-level executives, and do anything in his power to reduce risk.<\/p>\n

\u201cThe basic philosophy that I\u2019ve had is data security, information security, information risk is a business risk issue, not a technology issue,\u201d he said in an interview<\/a>.<\/p>\n

Katz realized that effective CISOs need a blend of technical and soft skills<\/a>: they have to understand emerging technologies as well as business strategy. And in 2026, the story gets even more complicated, as CISOs operate in a difficult context, marked by tight budgets and geopolitical tensions.<\/p>\n

As the role evolved, some skills that once served CISOs are no longer differentiators. In their place, new capabilities are taking the spotlight, especially those tied to emerging tech. Today\u2019s CISOs are navigating a world built on cloud-native infrastructure, facing AI-generated attacks, and shifting regulatory rules.<\/p>\n

In this context, the CISO needs to be an enabler of growth, not a blocker.<\/p>\n

\u201cIn 2026, the CISO who thrives will look much more like a business value and resilience executive than a technical gatekeeper,\u201d says Darren Argyle<\/a>, co-founder of Cyber Resilience and former group chief information security risk officer at Standard Chartered Bank.<\/p>\n

CISOs today are expected to influence strategy, secure investment, and guide transformation, not just protect the perimeter. And without the right mix of skills, doing all of that simply isn\u2019t possible.<\/p>\n

Must-have skills for CISOs in 2026<\/h2>\n

Ask security professionals what makes a strong CISO in 2026, and three qualities come up time and again: a deep understanding of the business and the wider world, strong knowledge of AI, and the ability to shape and influence culture.<\/p>\n

That first one \u2014 understanding the business and the world it operates in \u2014 is foundational. CISOs who grasp the broader context are better equipped to spot emerging threats, align security with business goals, and make smarter decisions that build resilience and support growth.<\/p>\n

This knowledge also puts them in a position to shape key decisions before risks even surface, which is exactly where modern CISOs need to be. \u201cCISOs must deliberately cultivate the ability to influence strategy, not just enforce controls,\u201d says Richard Bird<\/a>, CSO at Singulr AI.<\/p>\n

If CISOs operate as a \u201cbusiness translator,\u201d framing security as a driver of value rather than just a cost, they can earn a comfortable seat at the leadership table. \u201cA CISO who is seen to understand the business is accepted into the fold, rather than positioned as just a guardian at the gate,\u201d says Christine Bejerasco<\/a>, CISO at WithSecure.<\/p>\n

This collaboration is often useful to both sides. \u201cAs security becomes more deeply integrated into strategic decision-making, the ability to articulate value in both directions is essential,\u201d adds Blake Entrekin<\/a>, deputy CISO at HackerOne.<\/p>\n

But having social power and influence within an organization isn\u2019t solely about access to the boardroom. It also comes from building trust and security awareness at all levels, which can be achieved by showing genuine interest in people\u2019s day-to-day work.<\/p>\n

\u201cThink about how you can embed security into different areas of the organization by leveraging the work of the people already there, and how you can train them just enough to weave security into their existing processes,\u201d Bejerasco says.<\/p>\n

The second essential pillar of skills centers on artificial intelligence. CISOs need to understand the current state of AI and be up to date on the latest threats and misuse cases. This knowledge helps them \u201cbring some sanity into an organization that\u2019s often in a mad rush to incorporate AI into everything,\u201d says Bejerasco. \u201cYou are no longer the detractor preventing the adoption of new technology. You become the saner voice in the room.\u201d<\/p>\n

Understanding where AI systems excel and where they fall short allows CISOs to guide adoption. But technical knowledge isn\u2019t enough. They also need to communicate it clearly, translating complex risks into business language that the board can understand.<\/p>\n

They can say something along the lines of: \u201cHere\u2019s the risk in financial, operational, and reputational terms, and here\u2019s the investment trade-off,\u201d Argyle says. \u201cThe irreplaceable CISOs will use AI as a force multiplier for business cost\u2013benefit analysis but keep the judgment and storytelling firmly human. If you can\u2019t credibly challenge the way your organization is using AI and data, you\u2019re flying blind.\u201d<\/p>\n

When it comes to training, Argyle recommends that CISOs take \u201creputable courses in AI governance, secure use of LLMs, data protection, and model risk,\u201d ideally from universities or industry-recognized providers.<\/p>\n

A mistake CISOs can make is assuming they already know enough about AI to make informed decisions, when the field is evolving too quickly for static knowledge to suffice. \u201cAI will continue to compress the time between reconnaissance and exploitation, requiring CISOs to anticipate how adversaries may use AI and how defenders can leverage the same tools to stay ahead,\u201d Entrekin says.<\/p>\n

Lastly, in 2026, the third must-have is building a strong security culture across every level of the organization, because, as Argyle puts it, \u201ccyber is 20% technology and 80% behaviour.\u201d<\/p>\n

\u201cThe standout CISOs will be those who can shift the boardroom narrative to one of active support for culture change,\u201d he says. \u201cYou know culture is taking hold when teams across the business apply secure-by-design principles as second nature.\u201d<\/p>\n

Top technical skills<\/h2>\n

In addition to strong knowledge of AI systems, today\u2019s CISOs need a solid foundation in the technologies that define modern enterprise environments. The (ISC)\u00b2 CISSP<\/a> is still widely regarded as the gold standard for broad expertise in security architecture, risk management, and governance. \u201cRegulators will expect this, and it still appears in pretty much all CISO jobs,\u201d Argyle says.<\/p>\n

The Cyber Leadership Program<\/a> from the Cyber Leadership Institute is also highly valued. This program focuses on the leadership and influence skills CISOs need to shape strategy and secure investment.<\/p>\n

Other useful certifications are those connected to cloud security architecture, such as CCSP<\/a>. \u201cIf you don\u2019t have an understanding of cloud security, these courses can help you understand shared responsibility models, identity-driven security, and how modern infrastructure operates at scale,\u201d says Bejerasco.<\/p>\n

Finally, Bird emphasizes the growing importance of financial fluency in cybersecurity leadership. \u201cA modern risk quantification or cyber economics course is critical, since boards increasingly expect CISOs to express risk in financial terms rather than technical scores,\u201d he says.<\/p>\n

Top soft skills<\/h2>\n

Apart from technical skills, CISOs are also judged on how they strategize, communicate and lead. In 2026, they are expected to face pressure from all sides, including boards, regulators and vendors, not just attackers.<\/p>\n

\u201cStrategic judgment is foundational,\u201d says Bird. \u201cEspecially knowing when not to act as much as when to intervene.\u201d<\/p>\n

Sharpening strategic judgment starts with pattern recognition \u2014 connecting the dots between incidents, threat intelligence, and the company\u2019s broader business context. Then, CISOs need to distil that complexity into a few clear, actionable choices, each with defined risks, benefits and costs. \u201cThat\u2019s how you move from doom report to strategic advisor,\u201d says Argyle.<\/p>\n

Strategic thinking will have a growing ethical dimension in 2026. One of the clearest tests, Bird says, will come in AI-driven environments, where CISOs must navigate complex decisions in the absence of clear legal guardrails. It\u2019s the kind of area, he argues, that can \u201cseparate leaders from operators, notably when legal guidance lags behind technological reality.\u201d<\/p>\n

Critical decisions sometimes have to be made in the heat of the moment if disaster strikes. In those situations, the ability to stay calm under pressure is essential. \u201cThe CISO\u2019s job in the first 72 hours is to lower the temperature, create clarity from ambiguity, and protect trust with the boardroom, authorities, regulators, customers and staff,\u201d says Argyle.<\/p>\n

Another soft skill to master in 2026 is the ability to build coalitions and negotiate well with product, data, legal, HR, finance, procurement and external partners. This means CISOs need to learn how to influence without having direct authority. \u201cSecurity cannot operate in isolation,\u201d says Entrekin. \u201cInfluence and collaboration are key.\u201d<\/p>\n

Closely linked to this is the ability to communicate well, to speak regulatory language and move fluently between technical, legal and business worlds. \u201cBeing able to talk to the board in business terms reduced my required three times a year board reporting to two times a year,\u201d Bejerasco says. \u201cThey understood and got confident that they understood that I had it covered. That was helpful for both me and for them as well.\u201d<\/p>\n

All these skills have to be passed on to others in the team. A key part of the CISO\u2019s role is to mentor, create opportunities for growth, and help team members gradually step into leadership themselves. \u201cInvesting in people ensures continuity, resilience, and long-term organizational capability,\u201d says Entrekin.<\/p>\n

Low-cost strategies for gaining top skills<\/h2>\n

Many CISOs and fractional CISOs want to keep learning, but there isn\u2019t always a budget to match that ambition. Formal courses and certifications can run into the thousands of dollars, plus time away from the job. Yet the experts argue that there are low-cost solutions to this.<\/p>\n

One of these is tapping into regional CISO communities. This can mean joining peer groups and roundtables where professionals compare playbooks and swap incident stories. CISOs can also find mentors or mentor younger professionals in turn, strengthening their skills while giving back to the community. \u201cRegional CISOs communities can offer shared knowledge, peer support, and access to collective expertise at little or no cost,\u201d Entrekin says.<\/p>\n

Vendors, cloud providers, and partners also tend to have free training, as well as reference architectures and playbooks. \u201cA smart CISO will negotiate learning access and workshops as part of contracts,\u201d Argyle says.<\/p>\n

Another low-cost strategy is to use large language models to explore emerging topics. These tools can summarize papers or threat intelligence reports, generate practice scenarios and act as a \u201csparring partner\u201d for strategies. AI subscriptions are relatively affordable, and executives can repurpose decommissioned hardware from within the organization. This kind of setup allows CISOs to explore AI capabilities, limitations, and risks firsthand, without needing a large budget or a formal program.<\/p>\n

Bejerasco also recommends reading books<\/a>: \u201cBooks on negotiation, leadership, decision-making, and strategy are especially helpful and directly applicable to the CISO role, often more so than formal training.\u201d<\/p>\n

But another overlooked resource is the CISO\u2019s own team. Argyle suggests creating internal \u201clearning loops\u201d: short, low-cost brown-bag sessions where risk experts, engineers, architects and product owners teach each other. \u201cLack of budget is a constraint, but it\u2019s not an excuse,\u201d he says. \u201cThe best CISOs I know have always been self-directed learners.<\/p>\n

Less relevant courses<\/h2>\n

Not all courses and certifications add value to a CISO\u2019s r\u00e9sum\u00e9. Credentials that are useful early in a cybersecurity career can become far less relevant by the time a security professional reaches an executive role. Examples include generic, entry-level security certifications, as well as tool-specific credentials that focus on button-clicking rather than system architecture.<\/p>\n

\u201cThey are not useless, but they should no longer be treated as signals of senior security leadership,\u201d Bird says.<\/p>\n

Other credentials that are less useful as differentiators for CISOs in 2026 include single-vendor, product-specific certifications. Deep expertise in one specific firewall or endpoint solution might have been valuable in the past, but for someone in a CISO role, it just doesn\u2019t carry a lot of weight.<\/p>\n

\u201cAt the CISO level, it\u2019s rarely decisive now, architectures are heterogeneous, and we\u2019re increasingly buying platform outcomes, not hero products,\u201d Argyle says. \u201cThese certs are fine for specialists, but they don\u2019t move the needle much for an executive.\u201d<\/p>\n

Courses that focus purely on memorizing standards and passing exams \u2014 without requiring participants to grapple with real-world trade-offs \u2014 are also of diminishing value at the executive level. \u201cAs a CISO you\u2019re expected to turn compliance into outcomes, not just recite clauses from a standard,\u201d Argyle says.<\/p>\n

For CISOs, though, certifications are necessary but not sufficient. They need to be backed by experience. Employers are looking for leaders who can run security programmes end-to-end, make tough trade-offs under pressure, manage incidents with confidence, and engage with the board with confidence. In a competitive job market, a long list of certifications won\u2019t get anyone far unless it\u2019s backed by real-world experience.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Three decades ago, when Steve Katz became the world\u2019s first CISO at Citicorp\/Citigroup, he quickly realized that his role was more than solving problems with tech. Katz had to communicate well, meet with C-level executives, and do anything in his power to reduce risk. \u201cThe basic philosophy that I\u2019ve had is data security, information security, […]<\/p>\n","protected":false},"author":0,"featured_media":6729,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6728","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6728"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6728"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6728\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6729"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}