January 12, 2017 By Christophe Veltsos 3 min read

Competing in the global marketplace in 2017 doesn’t come easy. Today’s organizations must deal with global competition and innovation, workforce gaps, a pace of disruption that shows no signs of slowing down and the ever-increasing frequency and maturity of cyberattacks. These factors translate into a lot of stress and very little time to determine the best cybersecurity leadership style to keep the organization safe from the barrage of cyberattacks.

Charisma: More Than Meets the Eye

Top leaders often pat themselves on the back when they land a charismatic chief information security officer (CISO) who seems able to grasp the technical complexity of the job and communicate cybersecurity issues in a digestible manner. When the CISO appears to be very charismatic, that’s the icing on the cake. After all, who doesn’t want to listen to a good storyteller, someone with strong magnetism who can clearly and eloquently articulate a vision?

However, the dark side of charisma can impact the CISO’s ability to motivate staff as well as undermine communications about cyber risks. According to Harvard Business Review, a leader’s charisma can gradually shift from a positive to a negative influence within an organization.

Five Stages of Deteriorating Cybersecurity Leadership

The first stage of this process begins when the leader is unreceptive to constructive feedback regarding his or her rationale, choices or actions. This is a subtle shift, but an importance one. Left unchecked, it can lead to the next phase.

A charismatic leader moves into stage two when subordinates begin to avoid saying or doing anything that might result in strong pushback. This self-censure can quickly radiate outward to reach second-level reports and, eventually, the entire set of employees reporting to the CISO.

This tense environment naturally gives way to stage three, in which the CISO is only receptive to supportive interactions. This further solidifies the leader’s skewed sense of self and compromises his or her objectivity. Under these conditions, any reports questioning the effectiveness of a particular security control would be quashed quickly and forcefully.

Stage four brings about further disconnect between the CISO and IT staff, since employees are totally unwilling to do or say anything that could conceivably conflict with the CISO’s preconceived notions. The value of the interactions between the CISO and IT staff have now plummeted into a spiral that can take the entire organization down with it.

The fifth and final stage is characterized by a general sense of cynicism and despair among the IT staff working under the CISO. Employees continue to comply with the CISO’s demands while quietly venting about the nasty state of affairs. Unfortunately, other senior-level executives may be unaware of the extent of the problem or, worse, unable to do anything about it.

Kicking Conformity Bias

CISOs should be mindful of how their own biases can shape future behaviors and negatively impact organizational change. After all, research has shown the desire to conform can influence people to override their own powers of reason and observation. In an experiment described by another article in the Harvard Business Review, 35 percent of individuals accepted the incorrect judgments of the majority regarding the length of a line.

An organization’s culture should emphasize open communication. HBR noted that there should be “a structured method to extract learning from every success and mistake.” Constructive feedback should be encouraged and rewarded as part of the company culture. Furthermore, IT employees should “embrace and challenge” the CISO.

Leaders in the C-suite need to keep a close eye on the leadership style of the CISO. Some CISOs need support and encouragement to overcome the uneasiness of their new seat at the table. Others with strong, single-minded charisma may need to learn how to foster and reward open, honest feedback.

Business books are filled with case studies of leaders whose stubbornness led to their companies’ demise. CISOs are not immune to these flaws, so the rest of the C-suite should pay close attention to the CISO’s leadership style and react accordingly.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today