This is Part 4 in our six-part series on creating a strategy map for security leaders. Read Part 1, Part 2 and Part 3 for the full story.

The third row of our strategy map for security leaders is about the handful of critical capabilities that new school CISOs should have. They need these qualities in order to be perceived favorably by key stakeholders in the organization, which in turn will help them to deliver against their strategic objectives of managing security-related risks.

As previously discussed, it’s essential to focus on the cause-and-effect relationships between each of the four rows in a strategy map because these relationships represent the hypothesis that is the foundation for any given strategy.

A Shift in the Strategy Map

It’s also worth noting that the top two rows in a strategy map, which focus on outcomes (i.e., How is information security perceived? What business value does it provide?) will be more universally applicable than the bottom two rows, which focus on the drivers for making those outcomes happen. That is, managing security-related risks (both unrewarded and rewarded) by serving in the dual role of subject-matter expert and trusted adviser are one-size-fits-most for modern information security teams.

On the other hand, the capabilities, people, processes and systems necessary to drive those outcomes will naturally be more variable to reflect the unique context of each organization’s mix of systems, applications, data, users, regulatory requirements, industry, mission, business strategy, corporate culture and appetite for risk.

With that caveat in mind, here are two critical capabilities that are worth including in the strategy map for all security leaders.

Critical Capability No. 1: The Distinction Between Security Governance and Security Management

In smaller organizations, there isn’t always much of a distinction between different aspects of information technology and information security. Whether we’re talking about networks, storage, servers, endpoints, applications, data or security, it’s not unusual for all of it to be handled by a guy named Mike.

Although security polices are properly defined as the statement of management’s intent for the business, the reality is that in many smaller organizations, they are strongly influenced by vendors and their default products or Mike’s well-intentioned implementation of what he believes to represent the best practices.

For any organization large enough to appoint a chief information security officer (CISO), however, it’s likely that there’s a much sharper distinction between the governance of the business function called information security and the management of information security-related people, processes and technologies.

For example, governance is about setting policies, while management is about enforcing policies. A handful of dimensions for differentiating between security governance and security management are summarized in the following table:

In general, new-school security leaders are striving for a more exclusive focus on information security governance while simultaneously getting out of the hands-on, operational aspects of information security management.

Different organizations may be at different stages of separation between these two sides. No matter what the current state, however, excellence at security governance is a critical capability for any new-school CISO.

Critical Capability No. 2: The Softer Skills of Information Security Servant Leadership

Experience has shown that the vast majority of security practitioners think of their role as one of committed, faithful and honorable service to the organization. They care very deeply about the protection they provide to their employers and to their customers. At the same time, many feel that their service is generally unrecognized, underappreciated and misunderstood.

To bridge this gap, successful security leaders are transitioning from being merely the smartest guy in the room with respect to technical matters to being in a fundamentally different relationship with others, which is often referred to as servant leadership. As initially described by Larry C. Spears, there are 10 characteristics of servant leaders — and with a little extra grouping, these characteristics very aptly describe the blend of softer skills that successful new-school CISOs need to excel:

Communicators, with the ability to:

  1. Listen;
  2. Empathize;
  3. Persuade and build consensus; and
  4. Heal and overcome divisions.

Strategists, with strengths in:

  1. Awareness;
  2. Conceptualization; and
  3. Forward-thinking.

Builders, with a commitment to:

  1. Stewardship;
  2. Growth of people; and
  3. Growth of communities.

To the extent that the current class of CISOs has risen through the ranks of hands-on roles in IT and information security, they have generally earned their success through their technical prowess with controls, countermeasures, frameworks and security management.

For many, this also means that they often struggle with the softer skills of business-level communication, management of both rewarded and unrewarded risks and the long-term cultivation of a security-conscious culture.

While it isn’t necessarily the case that the next generation of security leaders themselves need to be both tech-savvy and business-oriented — although that would be ideal — they do at least need to ensure that both hard and soft skill sets are on the information security team.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…