“No longer merely a digital sheriff called on to protect the firm’s data valuables, the CISO is expected to act as a full strategic partner with the rest of the C-suite.” – Egon Zehnder’s “Evaluating and Attracting Your Next CISO: More Sophisticated Approaches for a More Sophisticated Role

The various roles that CISOs may play, including translator, diplomat, trust builder, strategic thinker and other leadership qualities, have been covered. But what is needed to support them in the role of a risk leader?

A New Challenge for the CISO

As boards and management seek to tackle cyber risks, CISOs must now rise to the challenge and adapt to the pressure of increased visibility and responsibility. When it comes to cyber risks, boards and management have turned their gaze and their trust toward the CISO to help the organization address an issue that can impact all areas of a business.

However, some CISOs might not be ready to be cyber risk leaders. Conversely, they might find themselves operating in an environment that makes it difficult for them to operate as risk leaders.

Deloitte developed and conducted CISO Transition Lab workshops to assist CISOs with the challenges of operating in environments that suffer from lack of funding, support, visibility and communications. Deloitte reported that the CISO role can be viewed as being composed of four faces:

  1. Strategist: They must drive business and cyber risk strategy alignment and instigate transformational change to manage risk.
  2. Adviser: CISOs educate, advise and influence activities with cyber risk implications.
  3. Guardian: Leaders protect business assets by managing the effectiveness of the cyber risk program.
  4. Technologist: They assess and implement security technologies and standards to build organizational capabilities.

Unfortunately, CISOs reported that they spend 77 percent of their time being guardians and technologists, despite the fact that they would like to spend more time being advisers and strategists.

What Makes a Successful Risk Leader?

The Chartered Global Management Accountant (CGMA) association argued that a successful risk leader should be:

  • Independent and influential;
  • A clear and concise communicator;
  • A standard-bearer for what’s right; and
  • Credible.

Egon Zehnder, an executive search and talent management consultancy, distilled four traits of successful leadership in the face of the many challenges presented by the modern world. These four traits are:

  1. Curiosity;
  2. Insight;
  3. Engagement; and
  4. Determination.

Building for a Better Future

For the CISOs who are ready to spend more of their time and energy setting security strategy and being risk advisers, here are some key leadership traits to develop:

  1. Have a sound understanding of the business. This is a key skill since everything the CISO does revolves around enabling the business to meet its objectives while minimizing the impact of negative risks. Yet many CISOs come from technology backgrounds and may not see the value or have the drive to ask questions that will afford them a solid picture of the business.
  2. Be a good communicator. CISOs should challenge themselves and others around them to ensure the security message is delivered as effectively as possible. Perhaps a quick review of Aristotle’s modes of persuasion might even be advised.
  3. Be receptive. Many CISOs find themselves walled up from the rest of the business due to their nonreceptive — or, worse, abrasive —ways of handling queries from fellow executives and business managers.
  4. Provide value and insight The CISO must be able to align his or her strategy and execution with the business objectives, but also have the insight to account for cyber risks that others might not fully appreciate. This is heavily dependent on the CISO’s ability to communicate and be receptive.
  5. Have good emotional IQ. CISOs must be able to see and sense the critical role that interpersonal dynamics play in all areas of the business.
  6. Have the courage and strength to fight the good fight. As the CGMA article put it, the risk leader needs to be able to “help the board set the risk appetite in line with the business model and act as wise counsel and effective challenge to the CEO, board and broader business.” While constantly butting heads with top leadership would not be advisable, an honest disagreement where CISOs can show the reason for their stance (i.e., helping the business achieve its objectives or helping shareholders achieve value) can be well-received.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…