A recent Ponemon Institute report titled “The Evolving Role of CISOs and Their Importance to the Business” reaffirmed the notion that the role of the security leader is becoming more critical, especially when it comes to managing enterprise risk, deploying security analytics and protecting Internet of Things (IoT) devices. However, if chief information security officers (CISOs) wish to play a bigger role, they must not only have the necessary technical expertise and leadership skills, but also understand their company’s operations and articulate security priorities from a business perspective.
One of the main takeaways from the report is that security leaders have varying degrees of influence among upper management. Additional highlights include the following:
- Sixty-nine percent of respondents cited appointing an executive-level security leader with enterprisewide responsibility as the most important governance practice.
- Seventy-five percent of respondents said turf and silo issues influence IT security tactics and strategies.
- Only 22 percent of respondents said their organization’s security function is integrated with other business functions, and 50 percent said IT security is not integrated with physical security operations.
- Forty-five percent of respondents said their security function does not have clearly defined lines of responsibility.
- Twenty-two percent of organizations always hold their business partners and vendors to a high security standard.
- Forty-nine percent of respondents report directly to the chief information officer (CIO).
- Just 26 percent of outsourced services are held to the same standards as on-premises security operations.
The Security Leader’s Toolbox
As with other important business and IT functions, strong leadership is critical to the effectiveness of an information security program. While it’s crucial to establish a dedicated staff responsible for the daily management and oversight of information security, hiring a capable and competent CISO is one of the most important steps a company can take to bolster its overall strategy to protect the confidentiality, integrity and availability of information.
From the CISO’s first day on the job and every day thereafter, he or she needs to engage with many different functions and layers within the company. The role includes a lot of listening, data gathering and synthesizing of information. It also requires explaining, training and persuading people at all levels so they understand what information security is and how risks affect their areas of responsibility. CISOs should have excellent people and management skills because information security cannot be accomplished alone.
Security leaders must be both strategic and tactical while acting as a conduit between the business and IT. CISOs are more likely to be effective when they are respected and well-known within their company or able to quickly network and develop positive relationships regardless of stature. An understanding of the business and an ability to communicate about security, risk and compliance issues are crucial.
Seven Key Attributes of an Effective CISO
As the Ponemon report suggested, strong security leadership requires a broad range of skills and characteristics, not all of which are technical in nature. Bearing in mind the challenges listed above, let’s break down seven key attributes of an effective CISO.
1. Executive Presence and Leadership
Harvard Business Review defined executive presence as the “ability to project mature self-confidence, a sense that you can take control of difficult, unpredictable situations, make tough decisions in a timely way and hold your own with other talented and strong-willed members of the executive team.” CISOs must represent the company’s position regarding information security matters and influence other executives in a manner that is consistent with security goals and objectives.
Effective security leaders project executive leadership in developing, planning, coordinating, administering, managing, staffing and supervising all security-related operations. They oversee the information security program and its coordination with complementary programs, such as privacy, compliance, physical security, risk management, purchasing, human resources, internal audit and legal counsel, and integrate closely with business and IT. Some CISOs struggle to communicate effectively with business leaders, especially when it comes to risk and compliance topics, but they need to be able to explain these topics to the business in terms they can understand, and ultimately develop credibility and trust.
Since the CISO serves as a spokesperson for the information security program, he or she presents to senior management and the board of directors and addresses concerns expressed by auditors, vendors and the business. For this reason, the security leader must be able to interact with personnel at all levels or the company. A key success factor is the ability to establish and maintain working relationships and keep open lines of communication with business and IT groups.
2. Strategy and Program Planning Skills
Strong CISOs posses the focus and executive presence to motivate, guide, inspire, listen to and persuade others within the organization to help the company meet its security objectives. They carefully prepare plans with both short-term (e.g., annual) and long-term (e.g., three-year) planning horizons. In fact, establishing a process to determine strategy, set priorities and create operational plans is one of the most important steps a CISO must take to ensure the security program is effective and properly aligned with the company’s goals.
One size does not fit all when it comes to formulating a useful plan. Some CISOs develop their security strategies based on project-level risk assessments while others combine top-down risk management with a bottom-up approach. Both methods require stakeholder input and reflect high-level business priorities. Since information security is in competition with other business objectives, security strategy should be ratified by a governance board, council or committee that includes senior IT and business management stakeholders.
Listen to the podcast series: A CISO’s Guide to Obtaining Budget
3. Security Knowledge and Dedication to Self-Development
Accomplishing the mission of an information security program requires a CISO with a core set of skills and characteristics. CISOs should have a solid foundation of security knowledge to draw from because they are positioned to decide or recommend the company’s stance on most, if not all, information security issues. They should also possess strong analytical and problem-solving skills to understand and apply abstract concepts to practical problems. Finally, security leaders should have at least 10 years of experience in the security profession and five to seven years of direct experience managing a program.
The best path to increasing security awareness varies because every CISO has his or her own strengths and weaknesses, and business needs constantly evolve. For this reason, security leaders must be engaged in their own self-development. Training and development programs should proactively address emerging technologies, new compliance requirements and the ongoing need for security improvements.
It is also beneficial for a CISO to acquire certifications, such as Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM), because:
- They demonstrate an overall foundational core of knowledge in the field.
- They require CISOs to earn a minimum number of continuing professional education (CPE) credits every year, which supports a proactive training and development plan.
The role of security leader is learnable, but the process to achieve this position takes time and commitment. Anyone who has the will and motivation can become a CISO if he or she is dedicated to continuously improving his or her skills.
4. Communication, Delegation and Documentation
Information security is inherently interdisciplinary and interdepartmental, and it requires a variety of skill sets to be effective. In other words, security is a team effort and must be coordinated as such. A successful CISO is one that recognizes that information security is a continuous and ongoing business process that requires buy-in from individuals and teams throughout the company.
It is crucial to define who is involved in security-related decision-making and ensure that these individuals are empowered to make business-based risk management decisions. In addition, these decision-makers must be adept at justifying unpopular initiatives with clearly documented mandates for executive management.
All this complexity requires a great deal of synchronization. The roles and responsibilities of these individuals and departmental units must be explicitly delineated to avoid confusion or security lapses. When clear role and responsibility documentation is in place, employees can focus on efforts that truly advance the vision and strategic plan. This minimizes coverage gaps and the tendency to duplicate work already done by another individual or department.
5. Ability to Govern by Influence Rather Than Edict
CISOs understand that they have an enforcement responsibility, but typically prefer not to be viewed as the person whose job is to say no. The preferred approach is to govern by influence rather than edict. The security leader might, for example, establish a team of internal risk consultants who are available to help other business units perform vulnerability assessments and craft security policy. This makes the difference between fostering a control-centric relationship with non-IT departments and helping others manage the company’s information risk.
6. A Mind for Metrics
The maturity of security metrics can vary considerably, but CISOs should build formal metrics programs to better understand how the security function is performing and improving. They should also conduct periodic benchmarking with industry peers to compare programs and analytics.
It’s important to track metrics reported by various security tools, as well as results from operating security processes, to measure progress. In addition, security leaders should gather data from operational sources that build on industry-recognized frameworks to develop the security program. Existing operational data can reveal process breakdowns that need to be fixed. Carefully consider which metrics to use to evaluate the effectiveness of security programs, since the wrong metric could motivate behavior that runs counter to the key goals of the security program.
Listen to the podcast: If You Can’t Measure It, You Can’t Manage It
7. Appropriate Organizational Placement
The primary responsibility for coordinating the various activities that support the information security program falls on the CISO, who typically reports to another C-level executive, ideally the CEO. More often than not, however, the CISO reports to the CIO, chief technology officer (CTO) or chief financial officer (CFO). Organizational placement varies by company, but the most successful security leaders are treated with respect and afforded the latitude to address security-related people, processes and technology issues with authority.
CISOs are more effective when they are viewed as equal partners within the management structure. Open communication about educational gaps and opportunities helps senior management understand the significance of information security and provide the support and resources necessary for the CISO to be effective.
The Security Leader’s Passion Is Contagious
It may seem like common sense for organizations to equip and properly position the security leader to succeed, but it’s not common practice. Although CISOs posses different personal styles, strong ones expect and exemplify excellence. They are driven to achieve results, able to take initiative and lead teams, and adept at reading the environment and managing change.
Effective CISOs know when to be collaborative, when to be visionary, when to listen and when to command. They have genuine passion for their mission, and that passion is contagious. Companies everywhere are up against an increasingly sophisticated threat landscape and a volatile technology environment, and these challenges make the role of the CISO more crucial than ever.