• United States



Contributing writer

5 top qualities you need to become a next-gen CISO

Nov 30, 20224 mins
CSO and CISOIT LeadershipIT Skills

The world of cybersecurity changes quickly. If you want to be at the top of your game, a next-generation (“next-gen” in IT-speak) CISO, you should consider these guidelines for building and maintaining the skills and relationships that can take you to the next level.

A ladder extends into clouds in the sky. [ growth /expansion / opportunity / growth ]
Credit: Dmitry Larichev / Дмитрий Ларичев / Getty Images

Ransomware and data breaches pose a massive risk to organizations, resulting in loss of customer trust and shareholder value, reputation damage, hefty fines, and penalties. Cyber risk is a top concern in US corporate boardrooms, elevating the role of the chief information security officer to rapid prominence. More than half (61%) of CISOs report to a board and board members are increasingly interested in what CISOs have to say. But technical skills alone won’t suffice for today’s CISO. Here are the top qualities that identify a next-generation chief information security officer.

  1. Displays a strategic focus

Next-generation CISOs are distinguished by their visibility and confidence. The best will frame issues from a business perspective rather than a technical or tactical viewpoint. They present themselves as visionary leaders and not as firefighters only to be deployed in the event of an emergency. They have a broadly strategic vision around cybersecurity and its evolving threat vectors and regulatory mandates. They are strong communicators, speaking in a language the business understands and aligning cybersecurity concepts to the goals and strategy of the business.

  1. Balances opportunity with risk

Not all risk is bad or harmful, but unmanaged risk certainly can be. If the CISO is claiming that all risk is bad and must be squashed, they may fail at connecting with associates and hinder progressive plans. Next-gen CISOs should be enablers rather than blockers. They must help executive teams balance opportunities with risk. What is the tolerance level? Where is the line a business shouldn’t cross? These are questions CISOs must help answer. Risk is a business decision and not a security decision — while it’s the CISO that initiates the risk and reward discussion, it’s the business that must decide whether it wants to accept the risk or do something about it.

  1. Allows leadership experience to shine through

Next-gen CISOs are charismatic, innovative, well-connected, and well-respected individuals across the organization and the security industry. They never waste an opportunity to show the value information security brings to the business. They are increasingly creating reporting structures outside of IT to emphasize their independence. Next-gen CISOs regularly participate in industry events and often share their experiences across social media as well as broadcast and print media, helping to further their reputation and influence.

  1. Understands the business, earns trust, and practices empathy

Next-gen CISOs need to understand the business context behind day-to-day challenges faced by employees, without which they cannot make the right security decisions. They should help build employee, customer, partner, and business stakeholder trust through regular engagement and collaboration. CISOs must shed their ivory tower mentality and build bridges with those departments and managers known to be critical of information security. They must be willing to shift attitudes and raise expectations as part of a larger culture change exercise. They should think hard about the implications and ramifications of what they are trying to do and whether it will cause friction. If so, they must proactively gain the trust of all important stakeholders and be emotionally intelligent and sensitive to their needs.

  1. Speaks in a language that resonates across all levels

CISOs must be ready to evangelize their craft to senior executives, board members, and non-executive directors. They should rehearse key appearances and visit board members in advance to understand their priorities and determine how best to accommodate their needs. C-level executives are often very demanding in terms of the information they need, so any new initiative or change in strategy should be backed up by rigorous statistics and metrics. At the lower level, CISOs must speak in a language that is understood by even the most non-technical. They should use analogies, storytelling, and training techniques to educate employees on the importance of security best practices. They must encourage staff to think about how risk may affect them directly and the negative impact it can have on their data privacy, their peers, and the company.

Security as a concept is deeply rooted in trust and trust is the key aspect separating next-generation CISOs from ordinary ones. As cybersecurity experts and visionaries, next-gen CISOs play the critical role of advisor and guide, someone who anticipates rough weather and steers the organization out of choppy waters, keeping it resilient in turbulent times.

Contributing writer

Steve Durbin is chief executive of the Information Security Forum, an independent, not-for-profit association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000. Find out more at

More from this author