What it takes to be a transformational CISO

Brian Kelly, back when he was CISO of Quinnipiac University, felt the pressure to take a different tack.

Like most security chiefs, Kelly found himself working with limited resources while facing expanding responsibilities and threats.

He saw then the need for change, believing that he could better contend with those dueling pressures and improve the organization’s security posture by transforming the cybersecurity function from a rigid operation rooted in compliance to a more flexible one grounded in understanding and reducing risks as they emerge.

The shift, he says, meant big changes for both the organization and him as its leader.

“For me, I had to be more open to alternatives, and I had to be open to a gray area, understanding that security is not always black and white. I had to listen, collaborate, learn from a community, be more adaptable, and I had to be strategic around the institution’s goals,” he says. “It started a transformational way of thinking.”

Brian Kelly

Kelly implemented various new initiatives during his 2006 to 2019 tenure at the university, including an awareness campaign meant to get everyone in the organization to see security as their responsibility.

Such efforts helped transform the security function into a high-performing, strategic and responsive operation; they remade him, too.

“It made me a better CISO,” says Kelly, now director of the cybersecurity program at EDUCAUSE, a nonprofit organization promoting the use of IT in higher education.

What it means to be a transformational CISO

Kelly is far from alone. Enterprise security executives who have seen their position evolve in the past decade from a managerial role focused on defending systems to a strategic one centered on business enablement to one, today, that’s increasingly expected to engage in transformational work.

“It’s not about being a security person; it’s now about having the ability to drive change and deliver value,” says Vijay Jajoo, a partner with KPMG Cyber Services.

Indeed, a transformational CISO is more than a technologist who understands the business or a businessperson who gets technology.

Rather, a transformational security leader is one who can design, deliver and run a security strategy that supports both the organization’s everyday needs and strategic vision while at the same time can work with his or her C-suite colleagues on those larger, challenging and often painful initiatives that will take the enterprise to its next iteration.

That takes a slew of specific personal attributes and professional skills to do.

“A transformational CISO is the one most comfortable in the face of chaos, the one who can handle the most change, the one most comfortable handling multiyear build-outs that transition from one set of often tactical activities to one that is more strategic and focused on what the overall organization wants to do,” says Jeff Pollard, vice president and principal analyst with Forrester Research and co-author of multiple reports about the state of the CISO position.

The skills and traits of a transformational CISO

Forrester research identified the transformational CISO as one of the six different types of CISOs.

“Transformational CISOs love overhauling a struggling security program and seeing long-term improvements take shape. Retooling, restaffing, and rebuilding from the ground up inspires them,” Pollard and co-author Josh Zelonis wrote in their May 2020 report, Every CISO Is Now A Transformational CISO.

Jeff Pollard

What exactly, though, does a transformational CISO possess that sets him or her apart? That allows him or her to “love” the hard work of overhauling and rebuilding?

Pollard says research has identified a number of traits and characteristics that define such a leader:

A transformational CISO is energized by change and disruption, and they’re energetic in general. “They’re comfortable operating in chaos,” he says.

They’re dynamic and adaptable.

They’re outspoken and persuasive, they tend to be more extraverted, and they’re able to build consensus. “They have to be able to do a bit of sales, and they have to be able to fit security into the rest of the company’s journey,” he explains.

“If that’s you, you need to find a company that’s willing to change, that doesn’t micromanage or command and control, that’s not heavily centralized. Or you need to find companies in markets that are being forced to change,” Pollard adds.

Kelly offered a similar list of defining skills and attributes, singling out flexibility as well as the ability to listen and collaborate.

Others agree, adding that being a good communicator is essential as is the ability to connect how changes in various areas — such as security technologies and individual business units — roll up together to drive organizational and industrywide disruption.

“They have to be intensively curious about their business and industry and the technology that runs it. They have to have a much more expansive view of all the things that will impact the organization and what the organization needs to be more resilient,” adds Matt Stamper, CISO for the tech company EVOTEK, president of the San Diego chapter of ISACA and co-author of the CISO Desk Reference Guide.

Matt Stamper

A transformational CISO also must be proactive and visionary so that he or she can articulate where both the security function and the whole organization need to be not just tomorrow but in the months and years ahead. The transitional CISO then must have the capability to execute with the other executives and with the support of the security team on that vision, Stamper adds.

He cites CISOs in the financial firms as models to follow, pointing out that they understood early on how security would be essential in shifting the financial industry into the digital environment.

Jajoo says he sees transitional leaders in general as being visionary, inspirational, innovative and passionate.

Vijay Jajoo

“They have a vision to drive change, but they’re also able to inspire. They can rally their own troops but they also get alignment and drive others toward that vision. It’s no different for security leaders,” he adds.

Jajoo points to a colleague, a CISO at a financial services company, as an illustrative example of a transformational executive. The firm as a whole was engaged in a sweeping transformation, which the CISO embraced by moving the security function from a tactical one to an operation focused on risk reduction and secure customer engagement. He adopted advanced technologies such as artificial intelligence, met with multi-stakeholder groups to explain his strategic vision, overhauled his security operation to create new career paths and training opportunities, encouraged innovation without penalizing people for taking risks, leveraged data to demonstrate improvements, and crafted metrics to ensure continued successes.

“It was less about how to deliver tools and more about delivering new capabilities and processes and then driving improvements,” Jajoo says.

Developing, drawing on transformational traits

Although the Forrester report declares that every CISO must now be a transformational leader, Pollard and others actually allow for some breathing room.

In fact, Pollard says he does not see the need for all CISOs to be transformational leaders all the time. Nor, he says, are all CISOs inclined to be one. Some CISOs are most comfortable and most capable at managing a steady-state environment where the focus is primarily on successfully maintaining secure operations and adjusting incrementally as needed.

Moreover, some companies don’t want a transformational CISO, Pollard says. Those companies might have recently completed a significant change initiative and are moving into a maintenance phase. They might be in industries that aren’t currently seeing disruption. Or they might not be ready for the broader organizational change that a transformational CISO would be primed to support. In such cases, a transformational CISO would be a poor fit and would likely be unhappy and unsuccessful.

On the other hand, however, Pollard and others say that many CISOs — even those who don’t or can’t fully embrace the transformational label — will have to develop and hone some of the characteristics and traits that transformational CISOs exude because nearly all organizations today will face some disruption.

“Even if transformation isn’t your thing, you might have to do some transformational activities,” Pollard says, adding that most professionals are capable of growing into the part even if they’re not naturally built that way.

Andrea Szeiler, the Budapest-based global CISO for Transcom, a customer-experience management company, has reflected on her skills and traits and determined she’s naturally well-suited for transformational roles — rating as influential, enthusiastic and persuasive as well as competitive, driven and results-oriented on personality assessments.

Andrea Szeiler

Experienced in leading transformation, she says she also learned the value in combining — and even tempering — her natural attributes with other equally important skills to ensure she’s building consensus and inspiring others on her team and throughout the enterprise.

More specifically, Szeiler, a board member of with the ISACA Budapest chapter, says she has worked on staying calm and being patient.

“I hear from others, ‘You’re a tank, we can’t stop you,’ so I trained myself not to go too fast, to be patient, because if you go alone, then the company’s not with you,” she says. “You need to be able to move everyone with you.”