“If you always do what you’ve always done, you’ll always get what you’ve always got.”

This kernel of wisdom comes from a certain high-tech headhunter in the late 1980s, who passed it on as she was helping her candidates prepare for their next job. Twenty years later, it showed up again in “What Got You Here Won’t Get You There,” a best-selling business book by Marshall Goldsmith.

For today’s information security leader, it’s wisdom that’s still worth appreciating. The role of CISO is very much in transition, and it’s increasingly clear that the skills that got you there are not the skills that are going to keep you there, let alone move you forward. For those who aspire to become CISOs, the path to a leadership role in cybersecurity is not the same as it has traditionally been.

In the spirit of doing things differently, here are introductions to three specific dimensions of important changes for information security leaders and their teams if they want to make a bigger and more valued contribution to their organization.

Two Distinct Roles

As recommended in a strategy map for security leaders, successful next-generation CISOs should strive for their information security teams to be perceived by key stakeholders as being strong in both of two distinct roles:

  • Subject matter experts in the technical aspects of ever-changing threats, vulnerabilities, exploits and information technologies, in the specific context of their own organization; and
  • Trusted advisers to the people who are responsible for making the business decisions about security-related risks, complete with the business acumen needed to bridge the gap between technical detail and organizational impact.

While acknowledging that every person is different, it’s generally true that current information security leaders have come up through the ranks of technical experts. These are the skills that got you there — and indeed, these are the skills that continue to be in short supply. But the leadership role is now demanding a blend of technical and business skills. Think of it as a cross between the business-savvy technologist and the tech-savvy businessperson.

Four Fundamental Questions

Helping the organization to manage not only the unrewarded risks of protecting its assets and minimizing downside, but also the rewarded risks of enabling its assets and maximizing upside, is the fundamental value provided by the business function known as information security. For this reason, the successful next-generation CISO should be extremely capable and highly confident when addressing the following four questions:

  1. What’s the risk? This question might refer to phishing attacks, ransomware, bad bots or whatever challenge comes next in the never-ending battle between attackers and defenders.
  2. What’s the annualized risk in the specific context of our organization, industry, strategy, IT infrastructure and culture?
  3. How does an incremental investment quantifiably reduce risk? What’s the business justification for an incremental investment in some recommended mix of technical, administrative and physical security controls, which are intended to manage the risk?
  4. How does one investment compare to another, with respect to reducing risk to an acceptable level in a specific context?

Identifying, assessing and communicating effectively about security-related risks — along with making sound business recommendations regarding what to do about them — is the very reason that information security leaders and their teams exist! Unfortunately, far too many are really struggling with how to address these fundamental questions and need to make a deliberate effort to develop the necessary skills.

Three Persistent Challenges

Pushing one level deeper in this line of thinking, successful next-generation CISOs will have to figure out how to help themselves and their teams overcome three persistent challenges.

  1. A language challenge: Even though risk is literally at the center of everything we do, a surprising number of security professionals don’t have an accurate understanding of how risk is defined and don’t use the correct terminology when talking about it. In addition, many misunderstand the types of risk, the range of responses to risk and the all-important question of who owns the business decisions about risk.
  2. A measurement challenge Given the predominantly technical and engineering-oriented backgrounds of security professionals, there’s an innate discomfort that security risks generally can’t be quantified with precision. But a lack of precision doesn’t mean “I don’t know.” In any case, the name of the game is to help make more informed business decisions about risk in spite of these inherent uncertainties.
  3. A communications challenge In spite of our discomfort at not knowing how to quantify risk, we routinely fall back on using a wide range of purely emotional and qualitative approaches to measuring and communicating about it. For example, we tout the latest headlines, averages based on surveys, the opinions of experts, qualitative assessments and semiquantitative heat maps. None of these approaches really moves the dial with respect to making better business decisions beyond the default intuition and gut instinct of the responsible business decision-makers.

Do Something Different as an Information Security Leader

If we always do what we’ve always done in these areas, we’ll always get what we’ve always got. An information security leader needs to take a different approach in each of these three dimensions if they want to drive different and more valuable results.

Read the complete IBM Report: Cybersecurity perspectives from the boardroom and C-suite

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read