This is Part 4 in our six-part series on creating a strategy map for security leaders. Read Part 1, Part 2 and Part 3 for the full story.
The third row of our strategy map for security leaders is about the handful of critical capabilities that new school CISOs should have. They need these qualities in order to be perceived favorably by key stakeholders in the organization, which in turn will help them to deliver against their strategic objectives of managing security-related risks.
As previously discussed, it’s essential to focus on the cause-and-effect relationships between each of the four rows in a strategy map because these relationships represent the hypothesis that is the foundation for any given strategy.
A Shift in the Strategy Map
It’s also worth noting that the top two rows in a strategy map, which focus on outcomes (i.e., How is information security perceived? What business value does it provide?) will be more universally applicable than the bottom two rows, which focus on the drivers for making those outcomes happen. That is, managing security-related risks (both unrewarded and rewarded) by serving in the dual role of subject-matter expert and trusted adviser are one-size-fits-most for modern information security teams.
On the other hand, the capabilities, people, processes and systems necessary to drive those outcomes will naturally be more variable to reflect the unique context of each organization’s mix of systems, applications, data, users, regulatory requirements, industry, mission, business strategy, corporate culture and appetite for risk.
With that caveat in mind, here are two critical capabilities that are worth including in the strategy map for all security leaders.
Critical Capability No. 1: The Distinction Between Security Governance and Security Management
In smaller organizations, there isn’t always much of a distinction between different aspects of information technology and information security. Whether we’re talking about networks, storage, servers, endpoints, applications, data or security, it’s not unusual for all of it to be handled by a guy named Mike.
Although security polices are properly defined as the statement of management’s intent for the business, the reality is that in many smaller organizations, they are strongly influenced by vendors and their default products or Mike’s well-intentioned implementation of what he believes to represent the best practices.
For any organization large enough to appoint a chief information security officer (CISO), however, it’s likely that there’s a much sharper distinction between the governance of the business function called information security and the management of information security-related people, processes and technologies.
For example, governance is about setting policies, while management is about enforcing policies. A handful of dimensions for differentiating between security governance and security management are summarized in the following table:
In general, new-school security leaders are striving for a more exclusive focus on information security governance while simultaneously getting out of the hands-on, operational aspects of information security management.
Different organizations may be at different stages of separation between these two sides. No matter what the current state, however, excellence at security governance is a critical capability for any new-school CISO.
Critical Capability No. 2: The Softer Skills of Information Security Servant Leadership
Experience has shown that the vast majority of security practitioners think of their role as one of committed, faithful and honorable service to the organization. They care very deeply about the protection they provide to their employers and to their customers. At the same time, many feel that their service is generally unrecognized, underappreciated and misunderstood.
To bridge this gap, successful security leaders are transitioning from being merely the smartest guy in the room with respect to technical matters to being in a fundamentally different relationship with others, which is often referred to as servant leadership. As initially described by Larry C. Spears, there are 10 characteristics of servant leaders — and with a little extra grouping, these characteristics very aptly describe the blend of softer skills that successful new-school CISOs need to excel:
Communicators, with the ability to:
- Listen;
- Empathize;
- Persuade and build consensus; and
- Heal and overcome divisions.
Strategists, with strengths in:
- Awareness;
- Conceptualization; and
- Forward-thinking.
Builders, with a commitment to:
- Stewardship;
- Growth of people; and
- Growth of communities.
To the extent that the current class of CISOs has risen through the ranks of hands-on roles in IT and information security, they have generally earned their success through their technical prowess with controls, countermeasures, frameworks and security management.
For many, this also means that they often struggle with the softer skills of business-level communication, management of both rewarded and unrewarded risks and the long-term cultivation of a security-conscious culture.
While it isn’t necessarily the case that the next generation of security leaders themselves need to be both tech-savvy and business-oriented — although that would be ideal — they do at least need to ensure that both hard and soft skill sets are on the information security team.
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group