The new CISO's playbook: 5 rules to follow

Today’s privacy and regulatory requirements, breadth of threats and bad employee behavior require chief information security officers to add some new moves to the old playbook.

rules rulebook compliance regulation by dana getty
Dana / Getty

When Michelle Stewart was hired in August 2017 as the CISO at RentPath, a digital marketing company for the real estate rental industry, she knew she had to add some new rules to her CISO playbook. Times had changed since she last took over a new security leadership role. Once considered primarily a technology job, today’s CISO must be a business enabler who can communicate in business terms the value of their security initiatives.

Many of the fundamental first steps and best practices that a new CISO should take to quickly become an effective security leader haven’t changed much over the last several years. First, they must assess the security situation, then develop a good security team and build relationships and credibility with business leaders and executives. But some of these traditional rules now come with caveats.

“Now CISOs are having to flex different muscles, work with a broader set of stakeholders and build an increasingly diverse team to handle different areas of concern,” including regulatory and privacy issues, product security and shadow IT, says Jamey Cummings, a senior client partner who co-leads Korn Ferry’s global cybersecurity practice.

They’ll also need the business acumen to communicate with the board. By 2020, 100 percent of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, up from 40 percent of organizations in 2018, according to Gartner.

What’s more, cyber and information security needs are growing more diverse by industry. In today’s environment, “you have to spend more time understanding the industry you’re in and the strategic direction and business priorities of the company,” says Aileen Alexander, a senior client partner who co-leads Korn Ferry’s global cybersecurity practice with Cummings.

CISOs who have successfully made the transition to a new company, along with industry experts, offer five rules that should be part of every new CISO’s playbook.

To continue reading this article register now

The 10 most powerful cybersecurity companies