February 3, 2016 By Derek Brink 3 min read

This is Part 4 in our six-part series on creating a strategy map for security leaders. Read Part 1, Part 2 and Part 3 for the full story.

The third row of our strategy map for security leaders is about the handful of critical capabilities that new school CISOs should have. They need these qualities in order to be perceived favorably by key stakeholders in the organization, which in turn will help them to deliver against their strategic objectives of managing security-related risks.

As previously discussed, it’s essential to focus on the cause-and-effect relationships between each of the four rows in a strategy map because these relationships represent the hypothesis that is the foundation for any given strategy.

A Shift in the Strategy Map

It’s also worth noting that the top two rows in a strategy map, which focus on outcomes (i.e., How is information security perceived? What business value does it provide?) will be more universally applicable than the bottom two rows, which focus on the drivers for making those outcomes happen. That is, managing security-related risks (both unrewarded and rewarded) by serving in the dual role of subject-matter expert and trusted adviser are one-size-fits-most for modern information security teams.

On the other hand, the capabilities, people, processes and systems necessary to drive those outcomes will naturally be more variable to reflect the unique context of each organization’s mix of systems, applications, data, users, regulatory requirements, industry, mission, business strategy, corporate culture and appetite for risk.

With that caveat in mind, here are two critical capabilities that are worth including in the strategy map for all security leaders.

Critical Capability No. 1: The Distinction Between Security Governance and Security Management

In smaller organizations, there isn’t always much of a distinction between different aspects of information technology and information security. Whether we’re talking about networks, storage, servers, endpoints, applications, data or security, it’s not unusual for all of it to be handled by a guy named Mike.

Although security polices are properly defined as the statement of management’s intent for the business, the reality is that in many smaller organizations, they are strongly influenced by vendors and their default products or Mike’s well-intentioned implementation of what he believes to represent the best practices.

For any organization large enough to appoint a chief information security officer (CISO), however, it’s likely that there’s a much sharper distinction between the governance of the business function called information security and the management of information security-related people, processes and technologies.

For example, governance is about setting policies, while management is about enforcing policies. A handful of dimensions for differentiating between security governance and security management are summarized in the following table:

In general, new-school security leaders are striving for a more exclusive focus on information security governance while simultaneously getting out of the hands-on, operational aspects of information security management.

Different organizations may be at different stages of separation between these two sides. No matter what the current state, however, excellence at security governance is a critical capability for any new-school CISO.

Critical Capability No. 2: The Softer Skills of Information Security Servant Leadership

Experience has shown that the vast majority of security practitioners think of their role as one of committed, faithful and honorable service to the organization. They care very deeply about the protection they provide to their employers and to their customers. At the same time, many feel that their service is generally unrecognized, underappreciated and misunderstood.

To bridge this gap, successful security leaders are transitioning from being merely the smartest guy in the room with respect to technical matters to being in a fundamentally different relationship with others, which is often referred to as servant leadership. As initially described by Larry C. Spears, there are 10 characteristics of servant leaders — and with a little extra grouping, these characteristics very aptly describe the blend of softer skills that successful new-school CISOs need to excel:

Communicators, with the ability to:

  1. Listen;
  2. Empathize;
  3. Persuade and build consensus; and
  4. Heal and overcome divisions.

Strategists, with strengths in:

  1. Awareness;
  2. Conceptualization; and
  3. Forward-thinking.

Builders, with a commitment to:

  1. Stewardship;
  2. Growth of people; and
  3. Growth of communities.

To the extent that the current class of CISOs has risen through the ranks of hands-on roles in IT and information security, they have generally earned their success through their technical prowess with controls, countermeasures, frameworks and security management.

For many, this also means that they often struggle with the softer skills of business-level communication, management of both rewarded and unrewarded risks and the long-term cultivation of a security-conscious culture.

While it isn’t necessarily the case that the next generation of security leaders themselves need to be both tech-savvy and business-oriented — although that would be ideal — they do at least need to ensure that both hard and soft skill sets are on the information security team.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today