Organizations today have to balance the need for continuous evolution along the digital continuum with the need to protect their data and operations and keep cyber risk at an acceptable level. The chief information security officer (CISO) role is uniquely positioned to help organizations manage those dualities, but it requires a different set of leadership qualities for CISOs that goes well beyond their traditional role as guardians of all things technological.

An organization that goes too far in one direction risks missing valuable business opportunities, delaying technological improvements and slowing its ability to compete in the global marketplace. Going too far in the other direction could mean exposing the business to new levels of cyber risk in the course of undertaking a digital transformation — and the real possibility that these risks will rise above the tolerance level of the organization.

To account for this challenge, here are the leadership qualities CISOs must possess in order to guide their organizations down the middle of the road, taking on just the right amount of risk and adopting a suitable pace for their digital transformation.

The Evolving Responsibilities of the CISO

A 2019 report by pwc and Harvard Business Review (HBR) Analytic Services shed light on the ongoing evolution of the CISO role. Survey participants were asked about the CISO’s responsibilities today compared to three years from now. For the CISO of today, building and maintaining threat-resistant systems was the top priority (56 percent of respondents), followed by identifying potential external threat factors (51 percent).

In contrast, the priorities for CISOs three years from now focused more on executive and strategic responsibilities, as is evidenced in these top seven priorities, of which only one is technology-focused:

  1. Build an organizationwide cybersecurity culture (63 percent)
  2. Formulate strategy for cybersecurity (51 percent)
  3. Build and maintain threat-resistant systems (47 percent)
  4. Work with the risk management function to integrate cyber risk with broader risk strategy (47 percent)
  5. Address legal and regulatory compliance requirements (34 percent)
  6. Develop cybersecurity risk metrics (31 percent)
  7. Educate the board and the C-suite on cybersecurity (30 percent)

Identifying potential external threat factors moved to eighth place. For CISOs whose education, training and experience mostly focused on the technical aspects of the role, this shift in responsibilities will require developing new security leadership competencies.

The CISO as a Digital Trust Leader

As a recent IBM Security e-book stated, “With a trusted advisor, you can better anticipate disruption, adapt to a changing security landscape and look to new innovations to gain a competitive advantage without losing sight of security.”

When asked about leadership qualities for CISOs, HBR/pwc survey respondents pointed to the ability to educate and collaborate across the organization as the most critical quality (84 percent), followed by communication skills (82 percent). Tied for third place at 79 percent were the ability to make data-driven decisions — in other words, to take on smart risks — and provide strategic insight.

The CISO as a digital trust leader must be able to reach out and engage partners across the entire business, relying on excellent communication skills and organizational knowledge to zero-in on high-value assets and review the most likely cyber risk scenarios. In some cases, the fix will likely come in the form of deploying improved security controls. In other instances, the CISO will have to lead negotiations around the appropriate level of cyber risk — the company’s risk appetite — and tie back to the risk management processes and governance structures already in place. As the IBM Security e-book points out, an effective security strategy will “shine a light on risk and bring it out into the open.”

Refresh Your Executive Competencies

What competencies do CISOs need to become better cybersecurity leaders? The HBR/pwc report pointed us toward the answer: “The right CISO is fluent in business strategy as well as technology.” Since most CISOs are already well-versed in the technology area, we’ll focus instead on the business and enterprise aspects of executive leadership qualities for CISOs. Korn Ferry, an executive placement firm, uses a well-developed set of competencies to evaluate executive leadership capacities. These competencies include what is normally expected from leadership — strategic vision; an ability to engage and inspire — as well as other capabilities that are becoming increasingly important to the CISO role:

  • The ability to balance multiple stakeholders and provide each with just the right level of information and assistance, especially when it comes to understanding and managing cyber risk.

  • The ability to balance persuasion skills with conflict management capacities, especially since security tends to be a source of tension or conflict — needing to ensure security and privacy of data — or is often a party to it; for example, between internal audit and the IT department.

  • The ability to manage ambiguity and critical situations as they arise — as they likely will. Matters of cybersecurity aren’t always binary, and CISOs must learn to feel comfortable with the ambiguity of business operations and business decisions. An encounter with an executive could start with a rosy tone and quickly roll downhill, but a tense standoff can evolve toward a positive resolution, given the right guidance.

For some CISOs, adopting and refining these competencies will be a natural progression from their former responsibilities. For others, evolving may require more feedback and mentoring from other executives or external consultants. Leadership qualities for CISOs are continually evolving in the direction of what’s being asked of top-level business executives. This means being able to generate an effective security strategy, prove responsible use of security investments, regularly brief top leadership and the board, and handle with ease and grace the multitude of stakeholders and relationships that are now within the CISO’s sphere of influence.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…