February 12, 2016 By Christophe Veltsos 3 min read

“No longer merely a digital sheriff called on to protect the firm’s data valuables, the CISO is expected to act as a full strategic partner with the rest of the C-suite.” – Egon Zehnder’s “Evaluating and Attracting Your Next CISO: More Sophisticated Approaches for a More Sophisticated Role

The various roles that CISOs may play, including translator, diplomat, trust builder, strategic thinker and other leadership qualities, have been covered. But what is needed to support them in the role of a risk leader?

A New Challenge for the CISO

As boards and management seek to tackle cyber risks, CISOs must now rise to the challenge and adapt to the pressure of increased visibility and responsibility. When it comes to cyber risks, boards and management have turned their gaze and their trust toward the CISO to help the organization address an issue that can impact all areas of a business.

However, some CISOs might not be ready to be cyber risk leaders. Conversely, they might find themselves operating in an environment that makes it difficult for them to operate as risk leaders.

Deloitte developed and conducted CISO Transition Lab workshops to assist CISOs with the challenges of operating in environments that suffer from lack of funding, support, visibility and communications. Deloitte reported that the CISO role can be viewed as being composed of four faces:

  1. Strategist: They must drive business and cyber risk strategy alignment and instigate transformational change to manage risk.
  2. Adviser: CISOs educate, advise and influence activities with cyber risk implications.
  3. Guardian: Leaders protect business assets by managing the effectiveness of the cyber risk program.
  4. Technologist: They assess and implement security technologies and standards to build organizational capabilities.

Unfortunately, CISOs reported that they spend 77 percent of their time being guardians and technologists, despite the fact that they would like to spend more time being advisers and strategists.

What Makes a Successful Risk Leader?

The Chartered Global Management Accountant (CGMA) association argued that a successful risk leader should be:

  • Independent and influential;
  • A clear and concise communicator;
  • A standard-bearer for what’s right; and
  • Credible.

Egon Zehnder, an executive search and talent management consultancy, distilled four traits of successful leadership in the face of the many challenges presented by the modern world. These four traits are:

  1. Curiosity;
  2. Insight;
  3. Engagement; and
  4. Determination.

Building for a Better Future

For the CISOs who are ready to spend more of their time and energy setting security strategy and being risk advisers, here are some key leadership traits to develop:

  1. Have a sound understanding of the business. This is a key skill since everything the CISO does revolves around enabling the business to meet its objectives while minimizing the impact of negative risks. Yet many CISOs come from technology backgrounds and may not see the value or have the drive to ask questions that will afford them a solid picture of the business.
  2. Be a good communicator. CISOs should challenge themselves and others around them to ensure the security message is delivered as effectively as possible. Perhaps a quick review of Aristotle’s modes of persuasion might even be advised.
  3. Be receptive. Many CISOs find themselves walled up from the rest of the business due to their nonreceptive — or, worse, abrasive —ways of handling queries from fellow executives and business managers.
  4. Provide value and insight The CISO must be able to align his or her strategy and execution with the business objectives, but also have the insight to account for cyber risks that others might not fully appreciate. This is heavily dependent on the CISO’s ability to communicate and be receptive.
  5. Have good emotional IQ. CISOs must be able to see and sense the critical role that interpersonal dynamics play in all areas of the business.
  6. Have the courage and strength to fight the good fight. As the CGMA article put it, the risk leader needs to be able to “help the board set the risk appetite in line with the business model and act as wise counsel and effective challenge to the CEO, board and broader business.” While constantly butting heads with top leadership would not be advisable, an honest disagreement where CISOs can show the reason for their stance (i.e., helping the business achieve its objectives or helping shareholders achieve value) can be well-received.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today