February 12, 2016 By Christophe Veltsos 3 min read

“No longer merely a digital sheriff called on to protect the firm’s data valuables, the CISO is expected to act as a full strategic partner with the rest of the C-suite.” – Egon Zehnder’s “Evaluating and Attracting Your Next CISO: More Sophisticated Approaches for a More Sophisticated Role

The various roles that CISOs may play, including translator, diplomat, trust builder, strategic thinker and other leadership qualities, have been covered. But what is needed to support them in the role of a risk leader?

A New Challenge for the CISO

As boards and management seek to tackle cyber risks, CISOs must now rise to the challenge and adapt to the pressure of increased visibility and responsibility. When it comes to cyber risks, boards and management have turned their gaze and their trust toward the CISO to help the organization address an issue that can impact all areas of a business.

However, some CISOs might not be ready to be cyber risk leaders. Conversely, they might find themselves operating in an environment that makes it difficult for them to operate as risk leaders.

Deloitte developed and conducted CISO Transition Lab workshops to assist CISOs with the challenges of operating in environments that suffer from lack of funding, support, visibility and communications. Deloitte reported that the CISO role can be viewed as being composed of four faces:

  1. Strategist: They must drive business and cyber risk strategy alignment and instigate transformational change to manage risk.
  2. Adviser: CISOs educate, advise and influence activities with cyber risk implications.
  3. Guardian: Leaders protect business assets by managing the effectiveness of the cyber risk program.
  4. Technologist: They assess and implement security technologies and standards to build organizational capabilities.

Unfortunately, CISOs reported that they spend 77 percent of their time being guardians and technologists, despite the fact that they would like to spend more time being advisers and strategists.

What Makes a Successful Risk Leader?

The Chartered Global Management Accountant (CGMA) association argued that a successful risk leader should be:

  • Independent and influential;
  • A clear and concise communicator;
  • A standard-bearer for what’s right; and
  • Credible.

Egon Zehnder, an executive search and talent management consultancy, distilled four traits of successful leadership in the face of the many challenges presented by the modern world. These four traits are:

  1. Curiosity;
  2. Insight;
  3. Engagement; and
  4. Determination.

Building for a Better Future

For the CISOs who are ready to spend more of their time and energy setting security strategy and being risk advisers, here are some key leadership traits to develop:

  1. Have a sound understanding of the business. This is a key skill since everything the CISO does revolves around enabling the business to meet its objectives while minimizing the impact of negative risks. Yet many CISOs come from technology backgrounds and may not see the value or have the drive to ask questions that will afford them a solid picture of the business.
  2. Be a good communicator. CISOs should challenge themselves and others around them to ensure the security message is delivered as effectively as possible. Perhaps a quick review of Aristotle’s modes of persuasion might even be advised.
  3. Be receptive. Many CISOs find themselves walled up from the rest of the business due to their nonreceptive — or, worse, abrasive —ways of handling queries from fellow executives and business managers.
  4. Provide value and insight The CISO must be able to align his or her strategy and execution with the business objectives, but also have the insight to account for cyber risks that others might not fully appreciate. This is heavily dependent on the CISO’s ability to communicate and be receptive.
  5. Have good emotional IQ. CISOs must be able to see and sense the critical role that interpersonal dynamics play in all areas of the business.
  6. Have the courage and strength to fight the good fight. As the CGMA article put it, the risk leader needs to be able to “help the board set the risk appetite in line with the business model and act as wise counsel and effective challenge to the CEO, board and broader business.” While constantly butting heads with top leadership would not be advisable, an honest disagreement where CISOs can show the reason for their stance (i.e., helping the business achieve its objectives or helping shareholders achieve value) can be well-received.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today