Engagement, Innovation Among Top Traits of Successful CISOs
Top-performing chief information security officers (CISOs) stand out for their commitment to personal and professional growth, according to a recent Gartner survey.
The study, which involved 227 CISOs from 2020 to 2023, found that 69% of high-performing CISOs dedicate time to their professional development, while only 36% of lower-performing counterparts do the same.
The results indicated the importance of continuous learning as the CISO role evolves rapidly and that staying updated and acquiring new skills is vital for CISOs to effectively serve as strategic advisors to their organizations.
The research highlighted key behaviors setting top-performing CISOs apart from their peers—behaviors found to be at least 1.5 times more prevalent among top performers.
More than three-quarters (77%) of top-performing CISOs initiate conversations in the enterprise on evolving national and international security norms, such as hacking back and threat attribution.
In addition, more than six in 10 (63%) top-performing CISOs proactively engage in securing emerging technologies like artificial intelligence (AI), machine learning (ML) and blockchain.
Top-performing CISOs also build relationships outside the context of projects (65%) and collaborate to define enterprise risk appetite (67%).
What Makes a ‘Good’ CISO?
John Pirc, vice president at Netenrich and a former CISO, said what separates a good CISO from a bad CISO is continuous learning and development.
“If you are not taking that personal development time, you become a risk to the organization,” he said. “With that said, the numbers could be skewed as some CISOs might not have the luxury if they are new to the role or in firefighting mode.”
Gareth Lindahl-Wise, CISO at Ontinue, said the findings of the Gartner report were not surprising to him–because what they highlighted were the characteristics of almost any high-performing leader.
“All too often, businesses ‘trade’ subject matter expertise for leadership skills in security and are then surprised by the outcome,” he explained. “If you look around a board table, few other seats are occupied by people with just their subject matter expertise as credentials.”
From his perspective, the report demonstrated the value of forward-looking thinking, building strong relationships outside of the standard IT line and developing non-technical leadership skills.
“This better equips the CISO to step out of purely ‘transactional’ relationships with the business into genuine business outcome-focused partnerships,” he noted.
A Teaching Moment
Pirc added that CISOs must educate stakeholders about the importance of cybersecurity and the risks that the organization faces.
“This includes providing regular security awareness training and communicating security updates and alerts,” he said. “CISOs should also involve stakeholders in security decision-making processes.”
He explained this will help to ensure that security decisions are aligned with the business needs of the organization.
Lindahl-Wise added that, while it may be implied in the report, CISOs should not forget the critical skill of acting as a translator from the technical to the business realms.
“Language and context are so important in the board room to go from being heard to being understood,” he said. “My 12-year-old son doesn’t react well to ‘rules without reasons;’ don’t expect your board to be any more tolerant.”
He recommended collaborating with peers in the organization to create a clear line of sight between security risks, opportunities and business objectives.
“This is likely to transform the relationships a CISO has and will supercharge the adoption and acceptance of a security program,” Lindahl-Wise said.
Pirc agreed that CISOs need to demonstrate the value of cybersecurity to the organization.
“This can be done by tracking security metrics, such as the number of security incidents prevented, and communicating the benefits of these improvements to stakeholders,” he said. “I would add collaborating with other CISOs in the industry.”
