The 7 Habits of Highly Effective CISOs

A spate of recent posts in the information security space decry the plight of the CISO—a vital role, but a position with a notoriously short tenure.

But what about those CISOs who consistently manage to get the job done—and keep their jobs in the process? That’s the question we asked when we set out to discover the seven habits of successful CISOs, which we count down here. The successful CISO.

1. Balances people, processes, and technology—with the accent on people

The CISO’s role encompasses a wide and fast-changing range of technologies, creating and disseminating policies, navigating regulatory and legal requirements, and most critical of all, managing people, which calls for an extremely broad set of skills that spans negotiation, training, communication, enforcement, and encouragement. As such, it’s not hard to see why CISOs who expect that technology alone will solve their security problems quickly end up in quicksand.

Successful CISOs know better. Dr. Larry Ponemon, of the Ponemon Institute, puts it this way: “For most organizations Step One tends to be technology rather than people, which is a mistake. [CISOs] should first get their people squared away, and then start making investments in technology. But we’re constantly fighting the mantra of ‘better security through better technology.’ It doesn’t work that way. It seems like everything we’ve done—I mean everything—from a security environment point of view, a metrics point of view, to the overall effectiveness of the CISO, comes down to the ability, or unfortunately the inability, to train people so that they understand the rules of the road.”

2. Sees information security as a risk issue, not an IT issue

Security breaches are not merely “technical glitches”—they go to the very heart of an organization’s stewardship of its assets, and those they are entrusted to safeguard. Technology not only cannot cover all the risks, it also frequently fails. Relying exclusively on IT to keep information safe is just a bad strategy on many levels.

RSA supports this assertion when they say, “The cost of security hardware and software purchased has absolutely no corresponding effect to the level of security.” And successful CISOs know this. They also understand that information security management is like an insurance program for managing risk to reduce the likelihood of costly incidents—and that training is the best insurance of all.

3. Assumes an executive posture

The most successful CISOs enjoy a high level of influence within the C suite, as well as with the board and other stakeholders. And that means dealing with their fair share of politics as they work to build trust, credibility, and buy-in.

The ability to address security issues in the context of the broader business issues is also key. Implicit in this, of course, is a good measure of actual executive-level control. Otherwise, as Spaf’s Law puts it, failure is certain: “If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.” Not exactly a recipe for success.

4. Is adaptable

No question, the CISO, like all other department chiefs, has to compete for resources. Oftentimes that calls for flexible, nimble, and creative problem solving.

But more than that, successful CISOs know they must also anticipate the unknown, which calls for an entirely different level of adaptability. The nature of the threat landscape is constantly changing, which requires an agile and responsive framework to meet threats as they present themselves. And that includes security awareness training that adapts quickly to changing realities.

5. Changes the culture

Changing the security-related behaviors that change the culture takes a deliberate and focused effort. And this is exactly what successful CISOs do—they change the culture. Which is a task that takes time, and one that never ends.

In addition to aligning the security agenda to the business objectives, the CISO must also connect with the rank and file. Successful CISOs understand that security-aware behaviors—and the work it takes to develop those behaviors—has an impact on employees.

Therefore, relating the importance of security mindfulness to the day-to-day realities of employees is crucial. That’s why successful CISOs choose security awareness training programs that are both relevant and rewarding to learners. In the process, the successful CISO gains buy-in from across the organization.

6. Is data-driven

The successful CISO maintains a clear and constant understanding of the organization’s ever-changing security posture. That not only takes data, but the right kind of data. To this end, the most effective CISOs consistently measure results against established KPIs—and even some not-so-well-established KPIs. They also rely on metrics such as Ponemon’s Security Effectiveness Score to track essential—and measurable—security parameters, all of which are key to demonstrating ROS—Return on Security.

7. Sees vulnerabilities from the viewpoint of attackers

Successful CISOs understand how attackers think and operate, which means being a student of both offense and defense. Maybe that’s why so many successful CISOs keep the words of Sun Tzu (The Art of War) close at hand: “If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

Share this Post

;