Organizations today have to balance the need for continuous evolution along the digital continuum with the need to protect their data and operations and keep cyber risk at an acceptable level. The chief information security officer (CISO) role is uniquely positioned to help organizations manage those dualities, but it requires a different set of leadership qualities for CISOs that goes well beyond their traditional role as guardians of all things technological.

An organization that goes too far in one direction risks missing valuable business opportunities, delaying technological improvements and slowing its ability to compete in the global marketplace. Going too far in the other direction could mean exposing the business to new levels of cyber risk in the course of undertaking a digital transformation — and the real possibility that these risks will rise above the tolerance level of the organization.

To account for this challenge, here are the leadership qualities CISOs must possess in order to guide their organizations down the middle of the road, taking on just the right amount of risk and adopting a suitable pace for their digital transformation.

The Evolving Responsibilities of the CISO

A 2019 report by pwc and Harvard Business Review (HBR) Analytic Services shed light on the ongoing evolution of the CISO role. Survey participants were asked about the CISO’s responsibilities today compared to three years from now. For the CISO of today, building and maintaining threat-resistant systems was the top priority (56 percent of respondents), followed by identifying potential external threat factors (51 percent).

In contrast, the priorities for CISOs three years from now focused more on executive and strategic responsibilities, as is evidenced in these top seven priorities, of which only one is technology-focused:

  1. Build an organizationwide cybersecurity culture (63 percent)
  2. Formulate strategy for cybersecurity (51 percent)
  3. Build and maintain threat-resistant systems (47 percent)
  4. Work with the risk management function to integrate cyber risk with broader risk strategy (47 percent)
  5. Address legal and regulatory compliance requirements (34 percent)
  6. Develop cybersecurity risk metrics (31 percent)
  7. Educate the board and the C-suite on cybersecurity (30 percent)

Identifying potential external threat factors moved to eighth place. For CISOs whose education, training and experience mostly focused on the technical aspects of the role, this shift in responsibilities will require developing new security leadership competencies.

The CISO as a Digital Trust Leader

As a recent IBM Security e-book stated, “With a trusted advisor, you can better anticipate disruption, adapt to a changing security landscape and look to new innovations to gain a competitive advantage without losing sight of security.”

When asked about leadership qualities for CISOs, HBR/pwc survey respondents pointed to the ability to educate and collaborate across the organization as the most critical quality (84 percent), followed by communication skills (82 percent). Tied for third place at 79 percent were the ability to make data-driven decisions — in other words, to take on smart risks — and provide strategic insight.

The CISO as a digital trust leader must be able to reach out and engage partners across the entire business, relying on excellent communication skills and organizational knowledge to zero-in on high-value assets and review the most likely cyber risk scenarios. In some cases, the fix will likely come in the form of deploying improved security controls. In other instances, the CISO will have to lead negotiations around the appropriate level of cyber risk — the company’s risk appetite — and tie back to the risk management processes and governance structures already in place. As the IBM Security e-book points out, an effective security strategy will “shine a light on risk and bring it out into the open.”

Refresh Your Executive Competencies

What competencies do CISOs need to become better cybersecurity leaders? The HBR/pwc report pointed us toward the answer: “The right CISO is fluent in business strategy as well as technology.” Since most CISOs are already well-versed in the technology area, we’ll focus instead on the business and enterprise aspects of executive leadership qualities for CISOs. Korn Ferry, an executive placement firm, uses a well-developed set of competencies to evaluate executive leadership capacities. These competencies include what is normally expected from leadership — strategic vision; an ability to engage and inspire — as well as other capabilities that are becoming increasingly important to the CISO role:

  • The ability to balance multiple stakeholders and provide each with just the right level of information and assistance, especially when it comes to understanding and managing cyber risk.

  • The ability to balance persuasion skills with conflict management capacities, especially since security tends to be a source of tension or conflict — needing to ensure security and privacy of data — or is often a party to it; for example, between internal audit and the IT department.

  • The ability to manage ambiguity and critical situations as they arise — as they likely will. Matters of cybersecurity aren’t always binary, and CISOs must learn to feel comfortable with the ambiguity of business operations and business decisions. An encounter with an executive could start with a rosy tone and quickly roll downhill, but a tense standoff can evolve toward a positive resolution, given the right guidance.

For some CISOs, adopting and refining these competencies will be a natural progression from their former responsibilities. For others, evolving may require more feedback and mentoring from other executives or external consultants. Leadership qualities for CISOs are continually evolving in the direction of what’s being asked of top-level business executives. This means being able to generate an effective security strategy, prove responsible use of security investments, regularly brief top leadership and the board, and handle with ease and grace the multitude of stakeholders and relationships that are now within the CISO’s sphere of influence.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…