Is Your CISO Ready to Be a Risk Leader?

“No longer merely a digital sheriff called on to protect the firm’s data valuables, the CISO is expected to act as a full strategic partner with the rest of the C-suite.” – Egon Zehnder’s “Evaluating and Attracting Your Next CISO: More Sophisticated Approaches for a More Sophisticated Role

The various roles that CISOs may play, including translator, diplomat, trust builder, strategic thinker and other leadership qualities, have been covered. But what is needed to support them in the role of a risk leader?

A New Challenge for the CISO

As boards and management seek to tackle cyber risks, CISOs must now rise to the challenge and adapt to the pressure of increased visibility and responsibility. When it comes to cyber risks, boards and management have turned their gaze and their trust toward the CISO to help the organization address an issue that can impact all areas of a business.

However, some CISOs might not be ready to be cyber risk leaders. Conversely, they might find themselves operating in an environment that makes it difficult for them to operate as risk leaders.

Deloitte developed and conducted CISO Transition Lab workshops to assist CISOs with the challenges of operating in environments that suffer from lack of funding, support, visibility and communications. Deloitte reported that the CISO role can be viewed as being composed of four faces:

  1. Strategist: They must drive business and cyber risk strategy alignment and instigate transformational change to manage risk.
  2. Adviser: CISOs educate, advise and influence activities with cyber risk implications.
  3. Guardian: Leaders protect business assets by managing the effectiveness of the cyber risk program.
  4. Technologist: They assess and implement security technologies and standards to build organizational capabilities.

Unfortunately, CISOs reported that they spend 77 percent of their time being guardians and technologists, despite the fact that they would like to spend more time being advisers and strategists.

What Makes a Successful Risk Leader?

The Chartered Global Management Accountant (CGMA) association argued that a successful risk leader should be:

  • Independent and influential;
  • A clear and concise communicator;
  • A standard-bearer for what’s right; and
  • Credible.

Egon Zehnder, an executive search and talent management consultancy, distilled four traits of successful leadership in the face of the many challenges presented by the modern world. These four traits are:

  1. Curiosity;
  2. Insight;
  3. Engagement; and
  4. Determination.

Building for a Better Future

For the CISOs who are ready to spend more of their time and energy setting security strategy and being risk advisers, here are some key leadership traits to develop:

  1. Have a sound understanding of the business. This is a key skill since everything the CISO does revolves around enabling the business to meet its objectives while minimizing the impact of negative risks. Yet many CISOs come from technology backgrounds and may not see the value or have the drive to ask questions that will afford them a solid picture of the business.
  2. Be a good communicator. CISOs should challenge themselves and others around them to ensure the security message is delivered as effectively as possible. Perhaps a quick review of Aristotle’s modes of persuasion might even be advised.
  3. Be receptive. Many CISOs find themselves walled up from the rest of the business due to their nonreceptive — or, worse, abrasive —ways of handling queries from fellow executives and business managers.
  4. Provide value and insight The CISO must be able to align his or her strategy and execution with the business objectives, but also have the insight to account for cyber risks that others might not fully appreciate. This is heavily dependent on the CISO’s ability to communicate and be receptive.
  5. Have good emotional IQ. CISOs must be able to see and sense the critical role that interpersonal dynamics play in all areas of the business.
  6. Have the courage and strength to fight the good fight. As the CGMA article put it, the risk leader needs to be able to “help the board set the risk appetite in line with the business model and act as wise counsel and effective challenge to the CEO, board and broader business.” While constantly butting heads with top leadership would not be advisable, an honest disagreement where CISOs can show the reason for their stance (i.e., helping the business achieve its objectives or helping shareholders achieve value) can be well-received.
Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is an associate professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.