cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

Dimensions of Effective CISO Leadership

What are some traits of a successful CISO? A recent CSO Online survey says:

 

  1. Leadership skills
  2. Communications skills
  3. Strong relationship with business executives
  4. Management skills
  5. Technical skills

The absolute key to CISO success rests on the executive team. Their attitude and actions tend to make or break CISOs.

 

4 Replies
CISOScott
Community Champion


@AppDefects wrote:

What are some traits of a successful CISO? A recent CSO Online survey says:

 

  1. Leadership skills
  2. Communications skills
  3. Strong relationship with business executives
  4. Management skills
  5. Technical skills

The absolute key to CISO success rests on the executive team. Their attitude and actions tend to make or break CISOs.

 


I would disagree slightly. The key to success is the CISO's attitude and their ability to work with people. The 5 things you mentioned all play a part in that role. A successful CISO will have the ability to understand the dynamic they are coming in to and be able to work with people of varying levels of IT knowledge, work place ethics, power (politics), and personal traits.

 

An executive team can make or break you, but they will not do it without you having laid the way. If you are a jerk then very few people are going to want to help you succeed.

 

I would add that it is imperative that the CISO build confidence that others have in the CISO. This is done by building trust and respect. I have seen CISO's fail that had very weak technical skills because they hid their incompetence by using fear and trying to demand that everyone "bow to them" and their "authority". I have seen CISO's fail because they had a "Do as I say!" and not a "Do as I do." philosophy. I have seen CISO's ignore their own policy that they authored because "I'm the security guy! I should be able to do whatever I want." mentality. I have seen CIO's (yes I know not a CISO role, but similar role) fail because they didn't want to get a certification. I have seen many security professionals kill their career by trying to be an authoritative jerk.

dcontesti
Community Champion


@CISOScott wrote:

I would add that it is imperative that the CISO build confidence that others have in the CISO. This is done by building trust and respect. I have seen CISO's fail that had very weak technical skills because they hid their incompetence by using fear and trying to demand that everyone "bow to them" and their "authority". I have seen CISO's fail because they had a "Do as I say!" and not a "Do as I do." philosophy. I have seen CISO's ignore their own policy that they authored because "I'm the security guy! I should be able to do whatever I want." mentality. I have seen CIO's (yes I know not a CISO role, but similar role) fail because they didn't want to get a certification. I have seen many security professionals kill their career by trying to be an authoritative jerk.


Totally agree with Scott on this one especially the comment on "authoritative Jerk".

 

d

AppDefects
Community Champion


@CISOScott wrote:

I have seen CIO's (yes I know not a CISO role, but similar role) fail because they didn't want to get a certification. I have seen many security professionals kill their career by trying to be an authoritative jerk.

That is the textbook mistake isn't it? Is it because consensus building is too hard? Also, what surprised me about the survey was that technical skill was ranked so low. How can they understand risk and controls if they don't value that skill and knowledge? How do you find and retain a good CISO? 

 

canLG0501
Newcomer III

I wholeheartedly agree with the dimensions outlined.

 

How can they understand risk and controls if they don't value that skill and knowledge?

It is not sustainable to gloss over the technical skills and knowledge required if the goal is to be successful in CISO role. Today the toolset that operational teams manage daily is very granular.  The CISO must be able to understand the details to obtain the value for the organization and assess risk appropriately.

 

How do you find and retain a good CISO? 

Retaining a good CISO requires the person selected to be able to influence the culture and continue to grow professionally.  The executive/leadership team must value this role.