Light Dark
February 3, 2016 By Derek Brink 3 min read
CISO

This is Part 4 in our six-part series on creating a strategy map for security leaders. Read Part 1, Part 2 and Part 3 for the full story.

The third row of our strategy map for security leaders is about the handful of critical capabilities that new school CISOs should have. They need these qualities in order to be perceived favorably by key stakeholders in the organization, which in turn will help them to deliver against their strategic objectives of managing security-related risks.

As previously discussed, it’s essential to focus on the cause-and-effect relationships between each of the four rows in a strategy map because these relationships represent the hypothesis that is the foundation for any given strategy.

A Shift in the Strategy Map

It’s also worth noting that the top two rows in a strategy map, which focus on outcomes (i.e., How is information security perceived? What business value does it provide?) will be more universally applicable than the bottom two rows, which focus on the drivers for making those outcomes happen. That is, managing security-related risks (both unrewarded and rewarded) by serving in the dual role of subject-matter expert and trusted adviser are one-size-fits-most for modern information security teams.

On the other hand, the capabilities, people, processes and systems necessary to drive those outcomes will naturally be more variable to reflect the unique context of each organization’s mix of systems, applications, data, users, regulatory requirements, industry, mission, business strategy, corporate culture and appetite for risk.

With that caveat in mind, here are two critical capabilities that are worth including in the strategy map for all security leaders.

Critical Capability No. 1: The Distinction Between Security Governance and Security Management

In smaller organizations, there isn’t always much of a distinction between different aspects of information technology and information security. Whether we’re talking about networks, storage, servers, endpoints, applications, data or security, it’s not unusual for all of it to be handled by a guy named Mike.

Although security polices are properly defined as the statement of management’s intent for the business, the reality is that in many smaller organizations, they are strongly influenced by vendors and their default products or Mike’s well-intentioned implementation of what he believes to represent the best practices.

For any organization large enough to appoint a chief information security officer (CISO), however, it’s likely that there’s a much sharper distinction between the governance of the business function called information security and the management of information security-related people, processes and technologies.

For example, governance is about setting policies, while management is about enforcing policies. A handful of dimensions for differentiating between security governance and security management are summarized in the following table:

In general, new-school security leaders are striving for a more exclusive focus on information security governance while simultaneously getting out of the hands-on, operational aspects of information security management.

Different organizations may be at different stages of separation between these two sides. No matter what the current state, however, excellence at security governance is a critical capability for any new-school CISO.

Critical Capability No. 2: The Softer Skills of Information Security Servant Leadership

Experience has shown that the vast majority of security practitioners think of their role as one of committed, faithful and honorable service to the organization. They care very deeply about the protection they provide to their employers and to their customers. At the same time, many feel that their service is generally unrecognized, underappreciated and misunderstood.

To bridge this gap, successful security leaders are transitioning from being merely the smartest guy in the room with respect to technical matters to being in a fundamentally different relationship with others, which is often referred to as servant leadership. As initially described by Larry C. Spears, there are 10 characteristics of servant leaders — and with a little extra grouping, these characteristics very aptly describe the blend of softer skills that successful new-school CISOs need to excel:

Communicators, with the ability to:

  1. Listen;
  2. Empathize;
  3. Persuade and build consensus; and
  4. Heal and overcome divisions.

Strategists, with strengths in:

  1. Awareness;
  2. Conceptualization; and
  3. Forward-thinking.

Builders, with a commitment to:

  1. Stewardship;
  2. Growth of people; and
  3. Growth of communities.

To the extent that the current class of CISOs has risen through the ranks of hands-on roles in IT and information security, they have generally earned their success through their technical prowess with controls, countermeasures, frameworks and security management.

For many, this also means that they often struggle with the softer skills of business-level communication, management of both rewarded and unrewarded risks and the long-term cultivation of a security-conscious culture.

While it isn’t necessarily the case that the next generation of security leaders themselves need to be both tech-savvy and business-oriented — although that would be ideal — they do at least need to ensure that both hard and soft skill sets are on the information security team.

 |  | 
Derek Brink
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature