Organizations today must ensure their chief information security officer (CISO) has the leadership and business qualities necessary to drive effective management of cyber risks. In a world where the roles and responsibilities of this position are still evolving, pinning down the traits of effective cybersecurity leaders can prove challenging, yet the stakes are too high to ignore. Having an effective security leader can be the difference between surviving the next incident or going down with the ship.
As the U.S. government’s own CISO handbook put it, “Because no two agency missions are exactly the same, no two CISO roles are exactly the same,” noting that some are essentially responsible for all information security activities, while others have taken on a more strategic, organizational-level role.
Traits of Successful CISOs
What are some traits of a successful CISO? CSO Online asked that very question of security leaders, who reported some secrets to their success.
Fifty-four percent of CISOs pointed to leadership as one of the top skills to develop. The next skill identified — communication — was selected by only 49 percent of CISOs, which is surprising given the amount of written, verbal and nonverbal communications CISOs find themselves engaged in on a daily basis. However, the third trait identified might help explain the low percentage for communication skills: 44 percent of CISOs pointed to a strong relationship with business executives, especially in cases where the security leader is treated as an equal.
Next, management skills were mentioned by 33 percent of CISOs, followed by technical skills at 21 percent. While it is somewhat surprising to see technical skills so low in the list, CISOs oversee a department full of technically qualified security professionals that should be able to fill any technical gaps.
In addition to individual traits, let’s also consider the range of interactions that CISOs have in the workplace.
CISOs Have Many Different Kinds of Interactions
Today’s CISO is responsible for interacting with multiple constituencies across the organization, from the very top levels down to entry-level employees. Here are some common CISO interactions:
- Interactions with the board — Having a CISO present to the board of directors used to be unusual. Today, board directors regularly request and receive presentations from CISOs, or consume materials specifically prepared by CISOs for board directors. This is in part due to directors being advised — by board leadership groups such as the National Association of Corporate Directors (NACD) — to increase the frequency and quality of interactions with CISOs to ensure they can effectively discharge cybersecurity fiduciary duties.
- Interactions with the C-suite — When interacting with members of the C-suite, CISOs must be on their A game. This is a prized role and requires that security leaders demonstrate their executive presence, sharp thinking, and communication and negotiation skills. McKinsey mentioned the need for organizations to make “sophisticated trade-offs” between cyber risks and business objectives. The same article also found that the biggest driver of maturity in managing cyber risks was the amount of time and attention that senior management gave the issue.
- Interactions with direct security reports — The CISO, as the head of the security function, is also responsible for quality interactions and supervision of the work performed by his or her direct reports and the entire security department. In that respect, the security leader can talk the “tech talk” and receive frequent and accurate updates about the state of security in the organization, including just how well security investments are panning out.
- Interactions with all staff — As a leader overseeing the all-important security awareness campaigns, the CISO sets the tone and walks the walk when it comes to helping every employee internalize their role in keeping sensitive data safe. Effective CISOs must ensure that awareness campaigns use all the tricks in the marketing and psychology books to get the message to stick, not just today, but next week and next month.
The Many Dimensions of Effective CISO Leadership
We know that the role of security leader requires a vast array of skills, which could fill pages. Instead, a more compact approach is to consider the CISO’s performance across four key dimensions. Why dimensions, you might ask? Because dimensions transcend the usual organizational silos. For each dimension, one should consider the CISO’s current level of performance, starting from “novice” to “understands” to “influences/advises.”
“Understands” means the CISO is able to appreciate how this dimension matters to the health and profitability of the organization, and is thus able to articulate reasonable security solutions. “Influences/advises” means the CISO has reached a point where their advice is sought after, or they strongly influence various aspects of the dimension.
The Business Dimension
It’s all business, all the time. An effective cybersecurity leader will have developed a strong understanding of key parts of the business. Effective CISOs will be a step ahead, being able to yield their influence over cyber risks during key business decisions. These CISOs take a whole-of-business approach instead of focusing on business silos, yet work with the heads of each line of business to translate the risk and ensure that risks stay within acceptable ranges.
The Human Dimension
This might be the digital and information age, but people still drive most business decisions, negotiate business risks and perform business processes. From the board and top leadership down to each and every employee, the CISO needs to exercise strong listening, negotiating and influencing skills to drive positive change in how the organization protects itself, the data it holds and the customers it serves.
An effective leader fully appreciates the value of human relationships and chooses the right medium, time and approach to have positive interactions on the often thorny issues of cyber risks and security controls. It’s not about being right; it’s more about choosing strategies that are best given the business risks and rewards. If Google can spot a leader’s level of empathy in only five minutes, effective leaders ought to know where they stand and get coached on ways to influence security culture. The CISO, as the face of security for the entire organization, is key to ensuring that security belongs to everyone.
The Technology Dimension
For the business to survive and thrive in times of digital disruption, it is critical for the CISO to understand where the organization sits in the technology dimension. Where are we in terms of technology maturity? How did we get here? What are the biggest factors holding us back?
Effective CISOs must empower the organization to move beyond the here and now and lead the organization down the path of technological evolution. CISOs who are adept in the first two dimensions will be able to help the organization achieve the digital metamorphosis that will allow it to thrive.
The Strategic and Governance Dimension
As Donna Gallaher, C-level advisor, wrote for Apex Assembly, “The role of the CISO is strategic, not tactical.” While the business dimension is about the business of the organization and management’s role in keeping everything operating smoothly, CISOs are increasingly taking part in setting strategy and providing clarity on governance-related matters.
Boards are asking more probing questions, often challenging management and the CISO to ensure that security risks are well-balanced and that the organization is ready to detect, respond to and recover from security incidents. For example, regulations such as the New York Department of Financial Services (NYDFS)’s 23 NYCRR 500 require CISOs to provide an annual report to the board about material cyber risks and the state of the organization’s security program.
CISOs must not only understand the role that the strategy and governance dimension plays in keeping the business on track to continued profits, but also participate in providing clarity to board directors about the effectiveness of security investments compared to the cyber risks faced. In larger settings, the cybersecurity leader would work alongside the chief risk officer, internal audit and audit committee to provide clarity on just how well the organization is handling its cyber risk exposure.
Beyond the Fourth Dimension: A Learning Mindset
One more characteristic of effective CISOs emerges: that of having a growth or learning mindset. Much like pioneers exploring new territories, security leaders are faced with constantly changing operating environments, shifting business priorities, administrative reshuffles and ever-changing technologies. Without a learning mindset, the CISO — and, by extension, the whole organization — is doomed to fail to adapt to the winds of change.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato
Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information ...