CISO December 10, 2015
By Christophe Veltsos 3 min read

Business leaders understand two things very well: business and people. This article takes a different perspective on the topic of managing one’s cybersecurity posture by focusing on the CISO’s leadership traits instead of the flurry of security-related policies, controls and programs that the business is likely implementing.

As cyber risks have risen in importance, becoming a topic of regular briefings at executive and board meetings, management and the board of directors are being asked to ensure that the security posture of the organization is adequate. While the world is slowly moving away from the awful security-by-audit-checklist mentality, management is increasingly being asked to evaluate the effectiveness of the organization’s security controls.

Business leaders, from the C-suite to the board of directors, process the role of the CISO through a lens that is much more familiar to them than cyber risks: the human perspective. The opinions that follow are forged from decades of working with people, many as students who later become professionals in IT and security, as well as from precious professional friendships with various CISOs and other security luminaries.

The future security posture of your business depends heavily on the kind of person your CISO is!

The CISO as a Translator

One of the CISO’s key roles is as translator of tech-related terms and threats into a language appropriate for his or her audience. When conversing with business leaders, the CISO needs to be able to communicate clearly and effectively, in the language of the business, through explanations, metaphors or visual aids.

The CISO as a Diplomat

The CISO must understand his or her role as a diplomat since very often security ends up stepping on other departments’ toes. Thus, CISOs must have a keen emotional intelligence to allow them to quickly detect whether their audience is closed to suggestions or possibly even hostile to the suggested or required changes.

This type of interaction is likely to increase as the CISOs communicate ways to reduce cyber risks to other groups. For example, they must converse with HR regarding SETA programs, with the IT department about IT controls such as privileged identity management and change control boards and with the finance department regarding multilayered processes around bank accounts and payroll.

The CISO as a Trust Builder

Ultimately, the CISO’s currency is trust. CISOs must earn the trust of the rest of the executive team and maintain that trust. In turn, executives and boards have to trust that the CISO will be an accurate vessel through which their wishes will be communicated and executed. Just as importantly, they have to trust that the CISO will be honest and transparent in reporting the true security posture of the organization.

The CISO as a Strategic Thinker

In line with the CISO as a trust builder, CISOs must also show themselves to be strategic thinkers and an ally of the business. They must be able to embrace the greater good, generate solid ideas and implement them. A great CISO should also be someone with the business wherewithal to include the big picture in all decisions or, conversely, to relate the connectedness of all security decisions to the big picture in all communications.

The CISO as a Leader

As the CISO’s role continues to evolve toward the top of the executive sphere, the CISO is increasingly being asked to serve in a leadership role. Gallup’s “Strengths Based Leadership,” the follow-up to its StrengthsFinder personality assessment, has mapped leaders’ strengths along four main themes: executing, influencing, relationship and strategic thinking. Each theme contains eight to nine strengths.

Effective leaders should know their strengths and their weaknesses. The same is true of CISOs. Here is the breakdown, as explained by StrengthsFinder:

EXECUTING

INFLUENCING

RELATIONSHIP

STRATEGIC THINKING

  • Achiever

  • Arranger

  • Belief

  • Consistency

  • Deliberative

  • Discipline

  • Focus

  • Responsibility

  • Restorative

  • Activator

  • Command

  • Communication

  • Competition

  • Maximizer

  • Self-Assurance

  • Significance

  • Woo

  • Adaptability

  • Developer

  • Connectedness

  • Empathy

  • Harmony

  • Includer

  • Individualization

  • Positivity

  • Relater

  • Analytical

  • Context

  • Futuristic

  • Ideation

  • Input

  • Intellection

  • Learner

  • Strategic
Scroll to view full table

To assess the leadership potential of candidates, Spencer Stuart, an executive search and leadership consulting firm, looked at the individual’s performance along the following lines:

  • Exceptional business judgment;
  • The ability to recognize interpersonal dynamics and apply them in decision-making;
  • Highly effective people management and team building skills;
  • Humility and substance;
  • Effective people development skills;
  • The ability to drive change.

As the CISO role matures into that of a risk executive, organizations would do well to review the people side of their security posture, starting with the traits of their CISO to determine the extent to which their CISO is able to make the leap to this new, more challenging senior role.

Read the IBM Report: Cybersecurity perspectives from the boardroom and C-suite

 |  |  | 
Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

More from CISO
CISO   June 2, 2023

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read
CISO   June 1, 2023

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read
CISO   May 16, 2023

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read
CISO   May 4, 2023

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature