• United States



UK Editor

5 key qualities of successful CISOs, and how to develop them

May 04, 20217 mins
CareersCSO and CISO

CISOs today need significantly different skillsets to cybersecurity leaders of the past as they become more critical to business success.

Conceptual image of three figures running toward a goal, along trend lines drawn by a large hand.
Credit: Thinkstock

The role of the CISO is relatively immature in comparison to other, longer standing C-level business positions such as CEO, COO, or CFO, but it has evolved significantly in just the last few years alone. Today’s CISOs are required to be somewhat different from the traditional security leaders of the past, and that is reflective of two things: the vital and growing role data plays in the everyday running of a business and increased expectations of the security function to keep that data safe and operational.

“Previously, the CISO role was solely technology focused, and that technological aspect will remain foundational,” Tami Hudson, CISO at Randstad North America, tells CSO. “However, in our increasingly digitized and data-driven environment, the CISO role has provided a unique opportunity at the intersection of technology and business to build pervasive cyber resilience that impacts every part of the business, from the boardroom to the mailroom. When everything is digital, everything is at risk.”

Today, business success is directly intertwined with the success of information security. Therefore, the modern CISO needs a unique set of qualities to align effective data security strategy, process, and practice with various business needs and requirements.

Here are five of the most important qualities of today’s CISOs, along with advice on how to garner and maintain such skills, according to various professionals working across the global information security sector.

A modern CISO speaks the language of the business

In the early days of cybersecurity, the first CISOs were expected to perform highly technical and often undisclosed actions to protect their organizations, explains Dave Stapleton, CISO at CyberGRX. “Today, CISOs cannot afford to simply be the ‘tech guy’ for their organizations,” he says. They equally need to understand the mission of their company, articulate how their work supports that mission, provide actionable insights to leadership, and create a security-focused culture throughout their organizations.

If CISOs do not fully understand the mission of their business or cannot effectively communicate the impact of security on that mission, then their effectiveness will be hampered at the very least,” Stapleton adds. “In some scenarios, this inability to communicate could even result in poor decision making, by the CISO or leadership, that directly and negatively affects the security of the organisation.”

For CISOs to develop business-focused communication skills, Stapleton believes that ongoing practice is key. “Unfortunately, this can be difficult if a CISO works for an organization that does not solicit or value their input. That said, every CISO should be able to find opportunities to articulate their message to leadership. Every one of those opportunities is meaningful and potentially opens the door to subsequent engagement.” He suggests that CISOs also expand their reading beyond technical blog posts and security news outlets to include business news sources such as the Wall Street Journal, Forbes, or Bloomberg.

A modern CISO is a collaborator

Very much aligned with the ability to speak the language of businesses, CISOs today must also be adept, interdepartmental collaborators, able to build and maintain relationships across an organisation. “Cybersecurity is not a discipline that operates in isolation,” Ian Glover, president of international information security accreditation and certification body CREST, tells CSO. “To be effective, cybersecurity needs the support and expertise from other parts of the business, as diverse as IT and communications, internal audit, human resources, marketing and even cultural change programs.”

Glover adds that CISOs need to identify areas of the business where they can gain support and “work hard” to build collaborative relationships built on “trust, empathy and clarity of purpose.”

Mark Nicholls, CISO at Chime Group, concurs, highlighting the importance of an organisation’s people in any security strategy. “Without strong relationships throughout the business, it is very hard for the security function to be effective. It is important for every member of the security team, including the CISO, to spend time with the various business units to understand their goals and how security can help achieve them.”

A “no blame” culture that also calls out successes and rewards good behavior will help build those relationships, says Nicholls. “Building trust with the business means the business will come to the CISO for help and involve them early on in projects which aids the secure by design principle, rather than trying to retrofit security after the horse has bolted.”

A modern CISO is emotionally intelligent

CISOs today need to be emotionally intelligent, says chair of the ClubCISO global community Stephen Khan, explaining that such a quality should extend to both empathy for others and self-awareness of oneself. “Leading a team in what is often a high-pressure environment means one of our primary concerns is for their well-being and making sure we support them,” says Khan. “Having empathy and understanding about what is worrying them helps here and ensures we are genuinely interested and engaged. This leads to a more positive outcome.”

Likewise, recognition and understanding of one’s own biases and knowledge gaps is crucial within modern security leadership roles, Kahn adds. “Being aware of these ensures we can build a diverse, inclusive team, and it allows us to make sure we hire people who complement our knowledge and support areas of weakness.” What’s more, given the pressures of the modern CISO role, “self-care and being able to find balance of life/family/self/work is critical to avoiding burn out issues,” something that has been widely reported to plague security leaders across the globe.

A modern CISO has strategic focus

One of the most under-appreciated, important qualities of a modern CISO is strategic focus, says Emilian Papadopoulos, president of Washington-based cyber risk advisory firm Good Harbor. “CISOs get hit with noise and distraction from all directions: the latest TTP [tactics, techniques, and procedures], ever-updating technology solutions, changes in the business environment and a flood of questions from executives, regulators and customers. While other executives might unplug here and there to regain strategic focus, most CISOs, by virtue of their role, are connected nearly 24/7.”

Focusing on strategic priorities rather than reacting to inbound information is therefore a common and noteworthy challenge for CISOs today, Papadopoulos adds. “However, I’ve seen terrific CISOs who excel at this in a few ways: through having a concise, documented strategy or shortlist of priorities, by getting top stakeholders to agree and share ownership of the priorities so they become externally driven rather than just the priority of the CISO themselves, and by spending time in peer-to-peer conversations with other CISOs where they can focus on their most important issues rather than reacting to other peoples’ most important issues.”

A modern CISO is tenacious

Finally, today’s CISOs need a tenacious nature that allows them to continue to strive towards improvement in the complex, multifaceted security landscape. “Cybersecurity does not generally have quick fixes. Therefore, it is essential that the CISO takes a long-term perspective,” says Stapleton. “The changes, however sensible and supportable, will require investment in time and resources. These resources will deflect attention from other activities that are often easier to understand and more directly support the normal business operations.”

CISO must present a consistent message about how to make improvements in cybersecurity, Stapleton adds. “They are unlikely to get a ‘yes’ on the first time of asking. Therefore, the CISO has to have the ability to take a ‘no’ and continue to present the case for support and funding.”

Kahn agrees: “There will be occasions which will present pressure from stakeholders. Maintain confidence in the direction your function is driving and be mindful with the rational and effort required to change direction. Maintaining focus will help your teams to be successful as opposed to changing direction too often based on stakeholder sentiment and burning your team out.”

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author