Organizations today have to balance the need for continuous evolution along the digital continuum with the need to protect their data and operations and keep cyber risk at an acceptable level. The chief information security officer (CISO) role is uniquely positioned to help organizations manage those dualities, but it requires a different set of leadership qualities for CISOs that goes well beyond their traditional role as guardians of all things technological.
An organization that goes too far in one direction risks missing valuable business opportunities, delaying technological improvements and slowing its ability to compete in the global marketplace. Going too far in the other direction could mean exposing the business to new levels of cyber risk in the course of undertaking a digital transformation — and the real possibility that these risks will rise above the tolerance level of the organization.
To account for this challenge, here are the leadership qualities CISOs must possess in order to guide their organizations down the middle of the road, taking on just the right amount of risk and adopting a suitable pace for their digital transformation.
The Evolving Responsibilities of the CISO
A 2019 report by pwc and Harvard Business Review (HBR) Analytic Services shed light on the ongoing evolution of the CISO role. Survey participants were asked about the CISO’s responsibilities today compared to three years from now. For the CISO of today, building and maintaining threat-resistant systems was the top priority (56 percent of respondents), followed by identifying potential external threat factors (51 percent).
In contrast, the priorities for CISOs three years from now focused more on executive and strategic responsibilities, as is evidenced in these top seven priorities, of which only one is technology-focused:
- Build an organizationwide cybersecurity culture (63 percent)
- Formulate strategy for cybersecurity (51 percent)
- Build and maintain threat-resistant systems (47 percent)
- Work with the risk management function to integrate cyber risk with broader risk strategy (47 percent)
- Address legal and regulatory compliance requirements (34 percent)
- Develop cybersecurity risk metrics (31 percent)
- Educate the board and the C-suite on cybersecurity (30 percent)
Identifying potential external threat factors moved to eighth place. For CISOs whose education, training and experience mostly focused on the technical aspects of the role, this shift in responsibilities will require developing new security leadership competencies.
The CISO as a Digital Trust Leader
As a recent IBM Security e-book stated, “With a trusted advisor, you can better anticipate disruption, adapt to a changing security landscape and look to new innovations to gain a competitive advantage without losing sight of security.”
When asked about leadership qualities for CISOs, HBR/pwc survey respondents pointed to the ability to educate and collaborate across the organization as the most critical quality (84 percent), followed by communication skills (82 percent). Tied for third place at 79 percent were the ability to make data-driven decisions — in other words, to take on smart risks — and provide strategic insight.
The CISO as a digital trust leader must be able to reach out and engage partners across the entire business, relying on excellent communication skills and organizational knowledge to zero-in on high-value assets and review the most likely cyber risk scenarios. In some cases, the fix will likely come in the form of deploying improved security controls. In other instances, the CISO will have to lead negotiations around the appropriate level of cyber risk — the company’s risk appetite — and tie back to the risk management processes and governance structures already in place. As the IBM Security e-book points out, an effective security strategy will “shine a light on risk and bring it out into the open.”
Refresh Your Executive Competencies
What competencies do CISOs need to become better cybersecurity leaders? The HBR/pwc report pointed us toward the answer: “The right CISO is fluent in business strategy as well as technology.” Since most CISOs are already well-versed in the technology area, we’ll focus instead on the business and enterprise aspects of executive leadership qualities for CISOs. Korn Ferry, an executive placement firm, uses a well-developed set of competencies to evaluate executive leadership capacities. These competencies include what is normally expected from leadership — strategic vision; an ability to engage and inspire — as well as other capabilities that are becoming increasingly important to the CISO role:
-
The ability to balance multiple stakeholders and provide each with just the right level of information and assistance, especially when it comes to understanding and managing cyber risk.
-
The ability to balance persuasion skills with conflict management capacities, especially since security tends to be a source of tension or conflict — needing to ensure security and privacy of data — or is often a party to it; for example, between internal audit and the IT department.
-
The ability to manage ambiguity and critical situations as they arise — as they likely will. Matters of cybersecurity aren’t always binary, and CISOs must learn to feel comfortable with the ambiguity of business operations and business decisions. An encounter with an executive could start with a rosy tone and quickly roll downhill, but a tense standoff can evolve toward a positive resolution, given the right guidance.
For some CISOs, adopting and refining these competencies will be a natural progression from their former responsibilities. For others, evolving may require more feedback and mentoring from other executives or external consultants. Leadership qualities for CISOs are continually evolving in the direction of what’s being asked of top-level business executives. This means being able to generate an effective security strategy, prove responsible use of security investments, regularly brief top leadership and the board, and handle with ease and grace the multitude of stakeholders and relationships that are now within the CISO’s sphere of influence.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato