Organizations today have to balance the need for continuous evolution along the digital continuum with the need to protect their data and operations and keep cyber risk at an acceptable level. The chief information security officer (CISO) role is uniquely positioned to help organizations manage those dualities, but it requires a different set of leadership qualities for CISOs that goes well beyond their traditional role as guardians of all things technological.

An organization that goes too far in one direction risks missing valuable business opportunities, delaying technological improvements and slowing its ability to compete in the global marketplace. Going too far in the other direction could mean exposing the business to new levels of cyber risk in the course of undertaking a digital transformation — and the real possibility that these risks will rise above the tolerance level of the organization.

To account for this challenge, here are the leadership qualities CISOs must possess in order to guide their organizations down the middle of the road, taking on just the right amount of risk and adopting a suitable pace for their digital transformation.

The Evolving Responsibilities of the CISO

A 2019 report by pwc and Harvard Business Review (HBR) Analytic Services shed light on the ongoing evolution of the CISO role. Survey participants were asked about the CISO’s responsibilities today compared to three years from now. For the CISO of today, building and maintaining threat-resistant systems was the top priority (56 percent of respondents), followed by identifying potential external threat factors (51 percent).

In contrast, the priorities for CISOs three years from now focused more on executive and strategic responsibilities, as is evidenced in these top seven priorities, of which only one is technology-focused:

  1. Build an organizationwide cybersecurity culture (63 percent)
  2. Formulate strategy for cybersecurity (51 percent)
  3. Build and maintain threat-resistant systems (47 percent)
  4. Work with the risk management function to integrate cyber risk with broader risk strategy (47 percent)
  5. Address legal and regulatory compliance requirements (34 percent)
  6. Develop cybersecurity risk metrics (31 percent)
  7. Educate the board and the C-suite on cybersecurity (30 percent)

Identifying potential external threat factors moved to eighth place. For CISOs whose education, training and experience mostly focused on the technical aspects of the role, this shift in responsibilities will require developing new security leadership competencies.

The CISO as a Digital Trust Leader

As a recent IBM Security e-book stated, “With a trusted advisor, you can better anticipate disruption, adapt to a changing security landscape and look to new innovations to gain a competitive advantage without losing sight of security.”

When asked about leadership qualities for CISOs, HBR/pwc survey respondents pointed to the ability to educate and collaborate across the organization as the most critical quality (84 percent), followed by communication skills (82 percent). Tied for third place at 79 percent were the ability to make data-driven decisions — in other words, to take on smart risks — and provide strategic insight.

The CISO as a digital trust leader must be able to reach out and engage partners across the entire business, relying on excellent communication skills and organizational knowledge to zero-in on high-value assets and review the most likely cyber risk scenarios. In some cases, the fix will likely come in the form of deploying improved security controls. In other instances, the CISO will have to lead negotiations around the appropriate level of cyber risk — the company’s risk appetite — and tie back to the risk management processes and governance structures already in place. As the IBM Security e-book points out, an effective security strategy will “shine a light on risk and bring it out into the open.”

Refresh Your Executive Competencies

What competencies do CISOs need to become better cybersecurity leaders? The HBR/pwc report pointed us toward the answer: “The right CISO is fluent in business strategy as well as technology.” Since most CISOs are already well-versed in the technology area, we’ll focus instead on the business and enterprise aspects of executive leadership qualities for CISOs. Korn Ferry, an executive placement firm, uses a well-developed set of competencies to evaluate executive leadership capacities. These competencies include what is normally expected from leadership — strategic vision; an ability to engage and inspire — as well as other capabilities that are becoming increasingly important to the CISO role:

  • The ability to balance multiple stakeholders and provide each with just the right level of information and assistance, especially when it comes to understanding and managing cyber risk.

  • The ability to balance persuasion skills with conflict management capacities, especially since security tends to be a source of tension or conflict — needing to ensure security and privacy of data — or is often a party to it; for example, between internal audit and the IT department.

  • The ability to manage ambiguity and critical situations as they arise — as they likely will. Matters of cybersecurity aren’t always binary, and CISOs must learn to feel comfortable with the ambiguity of business operations and business decisions. An encounter with an executive could start with a rosy tone and quickly roll downhill, but a tense standoff can evolve toward a positive resolution, given the right guidance.

For some CISOs, adopting and refining these competencies will be a natural progression from their former responsibilities. For others, evolving may require more feedback and mentoring from other executives or external consultants. Leadership qualities for CISOs are continually evolving in the direction of what’s being asked of top-level business executives. This means being able to generate an effective security strategy, prove responsible use of security investments, regularly brief top leadership and the board, and handle with ease and grace the multitude of stakeholders and relationships that are now within the CISO’s sphere of influence.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…