December 14, 2016 By George Moraetes 4 min read

Chief information security officers (CISOs) are constantly challenged to avoid complacency. The seemingly insurmountable pressures of balancing escalating threats and regulatory compliance mandates can be overwhelming. When conceiving big security projects, CISOs often talk about finding the risky pain points in processes and trying to correct them. That exercise is all about management skills, but it seems they haven’t realized the interaction between information security and the rest of the company.

Keeping CISO Complacency in Check

The majority of business leaders see security as an obstacle to getting things done. Most of the issues reside where business leaders want the CISO to simplify technology in business terms so they understand where to improve relations. Many think that IT should be outsourced by leveraging cloud technologies to do more with fewer resources. Business leaders want to concentrate on the business side, making it easier to work with existing personnel and, more importantly, focus on their customers.

On many occasions, efforts by security leaders to initiate action and obtain the required investments hit road blocks. Instead of measurable progress and moving projects forward, initiatives get caught up in the corporate politics that surround them. For the CISO, it is survival of the fittest. This drives complacency and erodes the CISO’s competitive edge within corporate leadership.

Today’s security-conscious organizations need a new breed of CISO who demands mental toughness and patience and is able to withstand the heavy demands of a corporate environment. The best leaders know the obstacles and have the agility to navigate the treacherous road. The job is not for the faint of heart and is often short-lived, with the average tenure lasting just a few years.

Five Signs of CISO Complacency

As industries evolve with the endless demands of government and industry regulations, the danger of CISO complacency increases. They are challenged to manage the ongoing dynamics of business in addition to implementing sound security programs, architecture, governance, risk and compliance in a way that effectively blends with corporate best practices.

CISO complacency often results when they reverse course and, instead of taking a step forward, stagnate or regress backward to a comfort zone. Corporations may then become vulnerable to the increasing sophistication of cyberthreats and lose strategic focus on effectively mitigating them. A CISO must, therefore, identify the signs of creeping complacency and adapt a different leadership approach.

The following are five common signs of CISO complacency:

1. Anxiety and Ambiguity

One sign of complacency is when leaders become afraid of what is required to move the agenda forward. For instance, many CISOs seek the path of the least resistance to avoid confronting the politics associated with necessary changes. They fear the potential backlash, but the lack of action leaves the organization exposed and vulnerable.

Anxiety increases with ambiguity. CISOs often fear uncertainty, but the antidote to it can become a powerful ally in the workplace, especially when security leaders anticipate the outcome, solve issues and don’t allow others determine their fate. The adversity might make or break a CISO, but it can also define one. Leaders must remember that their grasp and understanding of security far exceeds the knowledge of others in the organization. They have to be the ones calling the shots.

Anxiety and ambiguity result when employees don’t know the consequences of their actions. A complacent leader is often associated with an unpredictable corporate environment and an inability to control it. An effective CISO should be taking proactive steps to tackle risks, make decisions and anticipate the consequences of those actions.

2. Losing Focus of the Details

CISOs sometimes lose focus on the details as pressures mount. It’s critical to maintain focus on the details by managing operations effectively. Quality erodes, and it becomes obvious, especially when paired with inadequate preparation. People notice the lack of managing speed and poor time management. Cutting corners can lead to a negative impact to the organization.

3. Loss of Executive Presence

When team members notice the CISO cutting corners, tension begins to build. That’s when CISOs lose their executive presence. Mounting demands can lead to anger, job frustration and restlessness — and add significantly to CISO complacency.

Colleagues in the organization may begin to doubt the CISO’s leadership capabilities, which might lead to exclusion from executive decisions, budget cuts or more. In extreme cases, it could result in termination of employment. When CISOs become isolated from their peers in the C-suite, people begin to ignore or dance around their decrees, further inhibiting their ability to get the job done.

4. Too Easily Satisfied

When you are complacent, satisfaction comes from incremental growth. A small win might sound like a big one when, in fact, it is not. If your big win was implementing an identity and access management (IAM) system, it is time to reassess. Bare minimum security practices should be not be celebrated like proactive measures. Remember, a leader has to visualize and understand the big picture and see the forest instead of the individual trees.

5. Making Excuses

A complacent CISO is quick to make excuses as to why a goal or task can’t be accomplished. It is all too easy to hide behind these excuses and accept the status quo. The CISO should be able to execute his or her vision with a feasible and reasonable road map. Anticipating barriers provides CISOs with the insight to overcome them. They can bolster this effort by advising others of potential risks. In this way, excuses are no longer necessary — they are built into the road map where everyone knows about the challenges upfront.

The CISO’s Vision

An effective CISO in today’s demanding environment is motivated, proactive and able to manage the constant barrage of cyberthreats and compliance mandates. Complacency can prevent CISOs from establishing adequate security programs. The CISO has to be a driven, be a serious leader, always move forward and influence others to achieve a visionary goal.

An effective business leader must recognize and deal with complacency in any position. It is a people skill that can be taught to others to empower them to advocate and work toward the CISO’s vision.

Read the full IBM Report: Cybersecurity perspectives from the boardroom and C-suite

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today