February 12, 2016 By Christophe Veltsos 3 min read

“No longer merely a digital sheriff called on to protect the firm’s data valuables, the CISO is expected to act as a full strategic partner with the rest of the C-suite.” – Egon Zehnder’s “Evaluating and Attracting Your Next CISO: More Sophisticated Approaches for a More Sophisticated Role

The various roles that CISOs may play, including translator, diplomat, trust builder, strategic thinker and other leadership qualities, have been covered. But what is needed to support them in the role of a risk leader?

A New Challenge for the CISO

As boards and management seek to tackle cyber risks, CISOs must now rise to the challenge and adapt to the pressure of increased visibility and responsibility. When it comes to cyber risks, boards and management have turned their gaze and their trust toward the CISO to help the organization address an issue that can impact all areas of a business.

However, some CISOs might not be ready to be cyber risk leaders. Conversely, they might find themselves operating in an environment that makes it difficult for them to operate as risk leaders.

Deloitte developed and conducted CISO Transition Lab workshops to assist CISOs with the challenges of operating in environments that suffer from lack of funding, support, visibility and communications. Deloitte reported that the CISO role can be viewed as being composed of four faces:

  1. Strategist: They must drive business and cyber risk strategy alignment and instigate transformational change to manage risk.
  2. Adviser: CISOs educate, advise and influence activities with cyber risk implications.
  3. Guardian: Leaders protect business assets by managing the effectiveness of the cyber risk program.
  4. Technologist: They assess and implement security technologies and standards to build organizational capabilities.

Unfortunately, CISOs reported that they spend 77 percent of their time being guardians and technologists, despite the fact that they would like to spend more time being advisers and strategists.

What Makes a Successful Risk Leader?

The Chartered Global Management Accountant (CGMA) association argued that a successful risk leader should be:

  • Independent and influential;
  • A clear and concise communicator;
  • A standard-bearer for what’s right; and
  • Credible.

Egon Zehnder, an executive search and talent management consultancy, distilled four traits of successful leadership in the face of the many challenges presented by the modern world. These four traits are:

  1. Curiosity;
  2. Insight;
  3. Engagement; and
  4. Determination.

Building for a Better Future

For the CISOs who are ready to spend more of their time and energy setting security strategy and being risk advisers, here are some key leadership traits to develop:

  1. Have a sound understanding of the business. This is a key skill since everything the CISO does revolves around enabling the business to meet its objectives while minimizing the impact of negative risks. Yet many CISOs come from technology backgrounds and may not see the value or have the drive to ask questions that will afford them a solid picture of the business.
  2. Be a good communicator. CISOs should challenge themselves and others around them to ensure the security message is delivered as effectively as possible. Perhaps a quick review of Aristotle’s modes of persuasion might even be advised.
  3. Be receptive. Many CISOs find themselves walled up from the rest of the business due to their nonreceptive — or, worse, abrasive —ways of handling queries from fellow executives and business managers.
  4. Provide value and insight The CISO must be able to align his or her strategy and execution with the business objectives, but also have the insight to account for cyber risks that others might not fully appreciate. This is heavily dependent on the CISO’s ability to communicate and be receptive.
  5. Have good emotional IQ. CISOs must be able to see and sense the critical role that interpersonal dynamics play in all areas of the business.
  6. Have the courage and strength to fight the good fight. As the CGMA article put it, the risk leader needs to be able to “help the board set the risk appetite in line with the business model and act as wise counsel and effective challenge to the CEO, board and broader business.” While constantly butting heads with top leadership would not be advisable, an honest disagreement where CISOs can show the reason for their stance (i.e., helping the business achieve its objectives or helping shareholders achieve value) can be well-received.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today