August 2, 2019 By Christophe Veltsos 5 min read

Organizations today must ensure their chief information security officer (CISO) has the leadership and business qualities necessary to drive effective management of cyber risks. In a world where the roles and responsibilities of this position are still evolving, pinning down the traits of effective cybersecurity leaders can prove challenging, yet the stakes are too high to ignore. Having an effective security leader can be the difference between surviving the next incident or going down with the ship.

As the U.S. government’s own CISO handbook put it, “Because no two agency missions are exactly the same, no two CISO roles are exactly the same,” noting that some are essentially responsible for all information security activities, while others have taken on a more strategic, organizational-level role.

Traits of Successful CISOs

What are some traits of a successful CISO? CSO Online asked that very question of security leaders, who reported some secrets to their success.

Fifty-four percent of CISOs pointed to leadership as one of the top skills to develop. The next skill identified — communication — was selected by only 49 percent of CISOs, which is surprising given the amount of written, verbal and nonverbal communications CISOs find themselves engaged in on a daily basis. However, the third trait identified might help explain the low percentage for communication skills: 44 percent of CISOs pointed to a strong relationship with business executives, especially in cases where the security leader is treated as an equal.

Next, management skills were mentioned by 33 percent of CISOs, followed by technical skills at 21 percent. While it is somewhat surprising to see technical skills so low in the list, CISOs oversee a department full of technically qualified security professionals that should be able to fill any technical gaps.

In addition to individual traits, let’s also consider the range of interactions that CISOs have in the workplace.

CISOs Have Many Different Kinds of Interactions

Today’s CISO is responsible for interacting with multiple constituencies across the organization, from the very top levels down to entry-level employees. Here are some common CISO interactions:

  • Interactions with the board — Having a CISO present to the board of directors used to be unusual. Today, board directors regularly request and receive presentations from CISOs, or consume materials specifically prepared by CISOs for board directors. This is in part due to directors being advised — by board leadership groups such as the National Association of Corporate Directors (NACD) — to increase the frequency and quality of interactions with CISOs to ensure they can effectively discharge cybersecurity fiduciary duties.
  • Interactions with the C-suite — When interacting with members of the C-suite, CISOs must be on their A game. This is a prized role and requires that security leaders demonstrate their executive presence, sharp thinking, and communication and negotiation skills. McKinsey mentioned the need for organizations to make “sophisticated trade-offs” between cyber risks and business objectives. The same article also found that the biggest driver of maturity in managing cyber risks was the amount of time and attention that senior management gave the issue.
  • Interactions with direct security reports — The CISO, as the head of the security function, is also responsible for quality interactions and supervision of the work performed by his or her direct reports and the entire security department. In that respect, the security leader can talk the “tech talk” and receive frequent and accurate updates about the state of security in the organization, including just how well security investments are panning out.
  • Interactions with all staff — As a leader overseeing the all-important security awareness campaigns, the CISO sets the tone and walks the walk when it comes to helping every employee internalize their role in keeping sensitive data safe. Effective CISOs must ensure that awareness campaigns use all the tricks in the marketing and psychology books to get the message to stick, not just today, but next week and next month.

The Many Dimensions of Effective CISO Leadership

We know that the role of security leader requires a vast array of skills, which could fill pages. Instead, a more compact approach is to consider the CISO’s performance across four key dimensions. Why dimensions, you might ask? Because dimensions transcend the usual organizational silos. For each dimension, one should consider the CISO’s current level of performance, starting from “novice” to “understands” to “influences/advises.”

“Understands” means the CISO is able to appreciate how this dimension matters to the health and profitability of the organization, and is thus able to articulate reasonable security solutions. “Influences/advises” means the CISO has reached a point where their advice is sought after, or they strongly influence various aspects of the dimension.

The Business Dimension

It’s all business, all the time. An effective cybersecurity leader will have developed a strong understanding of key parts of the business. Effective CISOs will be a step ahead, being able to yield their influence over cyber risks during key business decisions. These CISOs take a whole-of-business approach instead of focusing on business silos, yet work with the heads of each line of business to translate the risk and ensure that risks stay within acceptable ranges.

The Human Dimension

This might be the digital and information age, but people still drive most business decisions, negotiate business risks and perform business processes. From the board and top leadership down to each and every employee, the CISO needs to exercise strong listening, negotiating and influencing skills to drive positive change in how the organization protects itself, the data it holds and the customers it serves.

An effective leader fully appreciates the value of human relationships and chooses the right medium, time and approach to have positive interactions on the often thorny issues of cyber risks and security controls. It’s not about being right; it’s more about choosing strategies that are best given the business risks and rewards. If Google can spot a leader’s level of empathy in only five minutes, effective leaders ought to know where they stand and get coached on ways to influence security culture. The CISO, as the face of security for the entire organization, is key to ensuring that security belongs to everyone.

The Technology Dimension

For the business to survive and thrive in times of digital disruption, it is critical for the CISO to understand where the organization sits in the technology dimension. Where are we in terms of technology maturity? How did we get here? What are the biggest factors holding us back?

Effective CISOs must empower the organization to move beyond the here and now and lead the organization down the path of technological evolution. CISOs who are adept in the first two dimensions will be able to help the organization achieve the digital metamorphosis that will allow it to thrive.

The Strategic and Governance Dimension

As Donna Gallaher, C-level advisor, wrote for Apex Assembly, “The role of the CISO is strategic, not tactical.” While the business dimension is about the business of the organization and management’s role in keeping everything operating smoothly, CISOs are increasingly taking part in setting strategy and providing clarity on governance-related matters.

Boards are asking more probing questions, often challenging management and the CISO to ensure that security risks are well-balanced and that the organization is ready to detect, respond to and recover from security incidents. For example, regulations such as the New York Department of Financial Services (NYDFS)’s 23 NYCRR 500 require CISOs to provide an annual report to the board about material cyber risks and the state of the organization’s security program.

CISOs must not only understand the role that the strategy and governance dimension plays in keeping the business on track to continued profits, but also participate in providing clarity to board directors about the effectiveness of security investments compared to the cyber risks faced. In larger settings, the cybersecurity leader would work alongside the chief risk officer, internal audit and audit committee to provide clarity on just how well the organization is handling its cyber risk exposure.

Beyond the Fourth Dimension: A Learning Mindset

One more characteristic of effective CISOs emerges: that of having a growth or learning mindset. Much like pioneers exploring new territories, security leaders are faced with constantly changing operating environments, shifting business priorities, administrative reshuffles and ever-changing technologies. Without a learning mindset, the CISO — and, by extension, the whole organization — is doomed to fail to adapt to the winds of change.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today