February 7, 2020 By Christophe Veltsos 4 min read

Organizations today have to balance the need for continuous evolution along the digital continuum with the need to protect their data and operations and keep cyber risk at an acceptable level. The chief information security officer (CISO) role is uniquely positioned to help organizations manage those dualities, but it requires a different set of leadership qualities for CISOs that goes well beyond their traditional role as guardians of all things technological.

An organization that goes too far in one direction risks missing valuable business opportunities, delaying technological improvements and slowing its ability to compete in the global marketplace. Going too far in the other direction could mean exposing the business to new levels of cyber risk in the course of undertaking a digital transformation — and the real possibility that these risks will rise above the tolerance level of the organization.

To account for this challenge, here are the leadership qualities CISOs must possess in order to guide their organizations down the middle of the road, taking on just the right amount of risk and adopting a suitable pace for their digital transformation.

The Evolving Responsibilities of the CISO

A 2019 report by pwc and Harvard Business Review (HBR) Analytic Services shed light on the ongoing evolution of the CISO role. Survey participants were asked about the CISO’s responsibilities today compared to three years from now. For the CISO of today, building and maintaining threat-resistant systems was the top priority (56 percent of respondents), followed by identifying potential external threat factors (51 percent).

In contrast, the priorities for CISOs three years from now focused more on executive and strategic responsibilities, as is evidenced in these top seven priorities, of which only one is technology-focused:

  1. Build an organizationwide cybersecurity culture (63 percent)
  2. Formulate strategy for cybersecurity (51 percent)
  3. Build and maintain threat-resistant systems (47 percent)
  4. Work with the risk management function to integrate cyber risk with broader risk strategy (47 percent)
  5. Address legal and regulatory compliance requirements (34 percent)
  6. Develop cybersecurity risk metrics (31 percent)
  7. Educate the board and the C-suite on cybersecurity (30 percent)

Identifying potential external threat factors moved to eighth place. For CISOs whose education, training and experience mostly focused on the technical aspects of the role, this shift in responsibilities will require developing new security leadership competencies.

The CISO as a Digital Trust Leader

As a recent IBM Security e-book stated, “With a trusted advisor, you can better anticipate disruption, adapt to a changing security landscape and look to new innovations to gain a competitive advantage without losing sight of security.”

When asked about leadership qualities for CISOs, HBR/pwc survey respondents pointed to the ability to educate and collaborate across the organization as the most critical quality (84 percent), followed by communication skills (82 percent). Tied for third place at 79 percent were the ability to make data-driven decisions — in other words, to take on smart risks — and provide strategic insight.

The CISO as a digital trust leader must be able to reach out and engage partners across the entire business, relying on excellent communication skills and organizational knowledge to zero-in on high-value assets and review the most likely cyber risk scenarios. In some cases, the fix will likely come in the form of deploying improved security controls. In other instances, the CISO will have to lead negotiations around the appropriate level of cyber risk — the company’s risk appetite — and tie back to the risk management processes and governance structures already in place. As the IBM Security e-book points out, an effective security strategy will “shine a light on risk and bring it out into the open.”

Refresh Your Executive Competencies

What competencies do CISOs need to become better cybersecurity leaders? The HBR/pwc report pointed us toward the answer: “The right CISO is fluent in business strategy as well as technology.” Since most CISOs are already well-versed in the technology area, we’ll focus instead on the business and enterprise aspects of executive leadership qualities for CISOs. Korn Ferry, an executive placement firm, uses a well-developed set of competencies to evaluate executive leadership capacities. These competencies include what is normally expected from leadership — strategic vision; an ability to engage and inspire — as well as other capabilities that are becoming increasingly important to the CISO role:

  • The ability to balance multiple stakeholders and provide each with just the right level of information and assistance, especially when it comes to understanding and managing cyber risk.

  • The ability to balance persuasion skills with conflict management capacities, especially since security tends to be a source of tension or conflict — needing to ensure security and privacy of data — or is often a party to it; for example, between internal audit and the IT department.

  • The ability to manage ambiguity and critical situations as they arise — as they likely will. Matters of cybersecurity aren’t always binary, and CISOs must learn to feel comfortable with the ambiguity of business operations and business decisions. An encounter with an executive could start with a rosy tone and quickly roll downhill, but a tense standoff can evolve toward a positive resolution, given the right guidance.

For some CISOs, adopting and refining these competencies will be a natural progression from their former responsibilities. For others, evolving may require more feedback and mentoring from other executives or external consultants. Leadership qualities for CISOs are continually evolving in the direction of what’s being asked of top-level business executives. This means being able to generate an effective security strategy, prove responsible use of security investments, regularly brief top leadership and the board, and handle with ease and grace the multitude of stakeholders and relationships that are now within the CISO’s sphere of influence.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today