Six Traits Of Successful Enterprise CISOs
Effectively Judging Risk To The Company And Protecting The Brand
Congratulations on becoming an enterprise cyber security leader. What does it take to not only survive but thrive in this role? Cyber Security Hub enlisted the help of security and data privacy practitioners to identify the key tenets that separate average leaders from exceptional business leaders.
We identified six of the strongest qualities in a CISO including being multidimensional and even thinking like your adversaries. By striving for higher goals and setting a good example for future generations of security leaders, the CISO will become an increasingly important member of the organization’s executive team.
In the C-suite, often the greatest emphasis is placed on leadership, communications skills and business savvy, among other things. “The special gift the CISO brings to the C-suite is a focus on risk beyond the balance sheet,” said Bob Turner, CISO and Director, Office of Cybersecurity at University of Wisconsin-Madison. Most of the time that focus serves as a reminder to others. “Still, in addressing some business issues the CISO may be the only one at the table thinking of cyber security risk.”
As a great CISO, you’re multidimensional: possessing all these qualities along with project management and organizational skills, the ability to strategize, plan effectively, prepare budgets and organize tasks. You also add into the mix an in-depth knowledge of and experience with the various systems, controls and tools that work together to keep an organization’s data safe.
“We are no longer looking at just cyber vulnerabilities, we are judging the risk to the company and how we need to go about protecting the company brand,” said Michael Welch, Managing Director, GRC, Strategy, vCISO at Vaco. At minimum, you know your systems, how they integrate with your organization’s policies, where your cyber security efforts can improve, the current threat landscape and what your company’s right-sized risk looks like, but you do so without neglecting the other qualities that set apart successful C-suite executives.
“The CISO must be literate in every aspect of the business,” said Dennis Leber, CISO, Cabinet for Health and Family Services, Commonwealth of Kentucky. Other C-suite executives must understand their part of the business but the CISO must KNOW each part of the business and possess the information to enable the business. “The CISO that matches this makes the most logical replacement for the CEO.”
2. Do Not Rest On Your Laurels
You’ve got the entrepreneurial spirit and passion that it takes to get the job done, but you also understand “what it takes” can change at any moment. It’s not enough to just react to a threat or a breach. Cyber security and information technology is a world in constant flux, and to stay protected, you invest in yourself and your team regularly in the form of continuing education. “The process is continuous and you must continue to engage and motivate your team,” added Vaco’s vCISO Welch.
Policies, emerging tech, new exploits, bugs and even social issues can all affect how protected your organization is against threats and how large of bullseye you have on your back at any time. You understand that knowing about those changes before anyone else does is the best way to minimize risk. “The CISO mindset is one that leads their security managers to initiate, plan for, and continuously maintain close alignment between their security operations, projects, processes, policies, and acquisitions of technical solutions, with the organization’s overall strategic objectives,” said data privacy and cyber security law expert Jamal Hartenstein.
3. A Deep Respect For Your Adversaries
A great CISO has profound respect for their adversaries, whose efforts regularly put millions of sensitive records, millions of dollars and the reputations of global brands at risk. You don’t believe you’ve got it all figured out, you a mindset of healthy suspicion and you’re able to be honest with yourself about where your cyber security efforts are failing, where the ‘bad guys’ have outsmarted you in the past and how you can learn from your mistakes. And cyber professionals do more than “catch” hackers. “We must change the conversation to enabling the mission through cyber and embedding cyber into everyone's roles, not just a CISO or the security team,” said Jothi Dugar, CISO, NIH Center for Information Technology.
You also understand how to think like a cyber attacker. Domini Clark, Blackmere Consulting Principal says “The ability to think like a ‘bad guy’ enables security professionals to anticipate what hackers might try…this ability is lovingly referred to as the evil ‘bit’ (as in bits and bytes), which seems to be coded into the personalities of many industry superstars.” The famous use of the Russian proverb “Trust, but verify” by President Ronald Reagan is a fitting mantra for the enterprise CISO.
4. The Great Communicator
As an all-star CISO, you know how to listen to all aspects of the organization, communicate complicated ideas simply, recruit champions to your cause and craft a culture around cyber security. Data breaches have far reaching consequences from financial losses to crushed reputations, and you know it’s simply not enough to tell the board that a situation is being “handled.” Sure, cyber security may not be their forte, but you use risk benchmarks compared to others in your industry and discuss current trends to help keep everyone informed. As said by NIH CISO Jothi Dugar, “Being an effective and empathetic communicator and ‘translator’ is a crucial aspect of being a CISO. We must learn to communicate to all roles in a way THEY understand, not in the way a security professional understands.”
You also understand that the greatest cyber security policies in the world are rendered useless if your organization, at every level, doesn’t get behind the initiative. By working with other business units and helping to craft the appropriate message, you position cyber security policy in such a way that safe practices become part of the business culture rather than an annoyance or burden. The successful CISO has the ability to communicate upward to the board in order to gain their support, the ability to communicate across business areas to understand the business and the ability to communicate to your team to make sure that you are utilizing your people, building process and implementing technology in order to be both preventative and reactive.
5. A Natural Multitasker In A Demanding Environment
The responsibilities and areas of focus for the superstar CISO are many. You’re in the past, trying to understand why a breach wasn’t prevented or vulnerability wasn’t discovered sooner. You’re in the present working to shore up your systems and policies against the latest black hat threat, making existing policies more user-friendly and efficient, or working around the clock to respond to a crisis. You’re in the future, preparing for as yet unrevealed threats, staying ahead of the curve by gauging the current state of cyber security and continuously working to educate yourself.
See Related: Workforce Well-Being In The World Of Cyber
The successful CISO “does not have to be a workaholic,” said NIH CISO Jothi Dugar. “Focus on the areas of risk that have been identified and work smarter.” CISO Bob Turner echoes the sentiment saying, “The successful CISO knows how to balance crisis, regular work, and the need to have downtime with friends and family to recharge. It is too easy to get immersed in work routines, work culture and work crises.”
6. You Work Well With Others
The world’s greatest CISOs are team players. You recognize that cyber security and IT have a responsibility to other organizational departments, and that it takes cooperation across the board to implement new technologies and cyber security policies effectively. “One key to success is to build a team around you to support the workload, which includes support from executive management,” said Vaco vCISO Welch. When a contemporary questions a new policy or inquires about a current cyber issue, rather than get defensive, you remember the value of feedback from all sources. You remember that everyone has a job to do, that what’s best for security isn’t always best for productivity or efficiency and that finding the happy medium where risk gets right-sized means working together.
A leadership approach that benefits organizations is one that demonstrates to stakeholders that the CISO’s information security objectives are in strategic alignment with the overall mission, vision, and operational goals. “This is achieved by helping the C-suite and Board understand and identify their own appetite for risk, then make informed decisions based on a balance between their budget constraints, operational objectives, and IT Security risk appetite,” said data privacy and cyber security law expert Hartenstein.
See Related: Enterprise Cyber Security Trends and Predictions