Traits of a Successful CISO

Align Towards Strategy

Good leaders work strategically keeping the interest of the company in mind. Good CISOs do not just focus on IT security initiatives, but make decisions based on the company’s strategies, goals and vision; they are both knowledgeable and competent. While maintaining the company’s goals he or she will be able to provide efficient communication of these goals and the logic behind the company’s vision to the entire team. At times the strategies and objectives might be in conflict. A good CISO will be able to focus only on the ones that are significant to the company vision.

Introduce Innovative Ideas

Departments within the organization are accountable for what they are responsible for and bring their own strength. Productive discussion between the leaders of each department is highly important to the success of the innovation process. It is imperative that the CISO be able to clearly depict the view of IT security when it applies to the innovation process. At the same time be able to comprehend and understand the other aspects and requirements within the other departments.

Be Nimble and Deliver Results

A CISO must lead its IT security team in an imaginative way, while maintaining focus on the company’s business goals. A differentiation between a good IT security team and an incompetent one, is it’s nimbleness and agility in completing expected results within a reasonable time table. Projects and tasks will be accomplished every time when a great team is lead by a great leader. Unexpected cyber security risks and breaches need to be delivered by CISO in a concise way. The CISO needs to clearly communicate tasks in mitigating or preventing cyber security risks and project state or condition to IT department and executive members. Unnecessary security risks and unanticipated challenges will have a detrimental influence on the company as a whole.

Be a Leader in IT Security Infrastructure and Scalability

A good CISO leads the way in being ahead in the IT security industry by acquiring, integrating and developing IT Security Infrastructure that places the business at a more advantageous position. The CISO must also ensure that all IT security infrastructure and monitoring systems can scale to growth demands. An essential trait is to stay focused and not lose sight of company goals.

Become Accountable via Unified Metrics

To be able to effectively operate an efficient organization, the CEO and CISO must agree on standards for measuring and evaluating. IT security team goals and corresponding Key Performance Indicators should be in line with the overall company ambition (i.e. high user satisfaction), system efficiency goals (i.e. cyber security breach resolution time) and availability standards (i.e. days without a security breach). A low metrics grade indicates a less than effective communication process. Misled development, an adrift department, and an inefficient business could be a result of inadequate initial established agreements.

Run a Well-managed Cyber Security Team

Given the pressures and high demand to deliver the best cyber security, CISOs must work on getting business managers more involved in policy definition and risk management. More collaboration between security, IT and operational technology groups. Intelligent management of the business-within-the-business will bring about higher earnings to the whole company due to cost savings.

The three Cs that are necessary for any CISO to succeed:

Control

The proliferation of mobile devices, evolving endpoints, and Internet of Things (IoT) have brought a major increase to IT department budgets and resources. The addition of more devices, cloud applications and mobile users greatly increases the attack surface. Trying to secure this growing pool of IT assets with an understaffed and under-skilled cyber-security team is almost impossible. Since most of these endpoints have software that is written by third parties and not produced in-house, control is no longer there. To gain control a CISO needs to view IT infrastructure as part of the development of the software that these endpoints run, making sure that security is controlled by the organization.

Communication

For the organization to be successful, executives need to manage relationships throughout the organization. This communication needs to exist from the edge employees, to the IT professionals, to the CIO and upper management. A clear security response has to be planned and communicated in advance as part of the company’s defense strategy. A thorough understanding of the security risks will lead upper management to approve financial support and flow of funds in an expedited manner.

Connection

A crucial consideration for smaller companies with limited resources is to establish reliable and trustworthy partnerships in order to outsource some of the security burden. This will ensure that every app/service they approve or piece of software they roll out is secure. Managing security in isolation is no longer feasible or wise; some kind of connection is necessary to combat emerging threats.

Complementary strengths and personalities bring about a better relationship between the CEO and CISO, but minimal expectations must be accomplished first before moving forward. A CEO depends on the CISO to manage the cyber security technical details of a business and to keep company objectives when focusing on these cyber security technical details. A great CISO will also bring experience, knowledge, accountability, management skills and business insight to the executive team.