The DNA of a CISO: crisis capability meets commercial clout (Digital Leaders)
With cyber attacks on the rise and data breaches under greater scrutiny than ever before, strong technology and security leadership is critical for savvy businesses to safeguard against growing threats and create a culture driven by cyber threat awareness. Matt Cockbill, Partner in the CIO & Technology Officers Practice for Odgers Berndtson, says the CISO is leading the security leadership charge. Here, he examines the role of the CISO in effective security leadership and what CISOs, businesses and the Board must do to get it right, with insights into challenges such as normalisation and corporate burnout.
In step with the pace of technological developments and the still rising number, level and scale of sophisticated cyber attacks, the importance of the role of Chief Information Security Officer (CISO) has grown significantly.
Billed as one of the ‘hottest roles around’ in leadership talent today, the position of CISO signals that a business and its Board take information and cyber security seriously. Typically, the CISO’s influence reaches across the entire organisation. A CISO brings a unique set of specialist skills and capabilities to the leadership function, with a focus on shaping a relevant, effective security strategy to drive transformation across the organisation.
As a senior-level executive within an organisation, the CISO is responsible for establishing and maintaining the vision, strategy, and programme to ensure information assets and technologies are adequately protected. The CISO directs the entire workforce in identifying, developing, implementing, and maintaining processes across the enterprise to maximise system security and reduce the risks to information and information technology. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is usually also responsible for information-related compliance.
A strong, genuine CISO needs not only the skill to ‘fix’ cyber security issues and problems, but to also lead the technical specialists delivering security services for the business. The role demands the capability to create a culture that places cyber essential behaviours at its heart by educating the organisation’s people on the threats, and the need for them to adapt to manage them.
The UK’s National Cyber Security Strategy reports that the average cost of a breach to large businesses is around £36,000, and that 65 percent of organisations suffered a breach in the past year. A separate study finds that two thirds of mid-market and large businesses have identified at least one breach or attack in the past 12 months.
Cyber security is a real business risk that has to be front and centre of the Board priorities. The relentless tide of cyber threats has rightly placed cyber security breaches under public and legislative scrutiny, meaning strong security leadership today is a critical component to business success.
DNA of a CISO
A CISO needs to ensure impact and an effective, meaningful change and transformation on the attitudes towards cyber security throughout a business. The skills and characteristics to deliver these include strong leadership, effective communication and motivation as well as cultural change, and strategic thinking.
The leadership demands placed on the CISO are diverse, challenging and ever evolving. The day to day priorities of security, coupled with the ongoing alignment of strategic objectives across multiple stakeholder audiences, is a tension that must be carefully managed.
Heritage and legacy
Technical capability and competence are a given for the role of CISO, with reporting lines often still direct to the CIO rather than the Board.
However, the impact of a CISO is not confined to, cyber, IT and digital issues . The CISO must take a holistic view of the technology-based operations and activities of the business. Their focus is on transforming how the business approaches its system security, and in turn the strategy for tackling cyber security head-on.
Whilst a working appreciation of IT, digital and cyber security matters at an operational level is advantageous, a CISO isn’t required to be at the heart of the action, so to speak. Too close an association with the guts and glory of security incident response may – and frequently does – inhibit security leaders from accessing the dialogues required to shape preventative strategies and systems.
Where the CISO fits into the organisation has a significant impact on its culture and values. Being seated in IT may set the tone and encourage a tendency for the CISO to focus on the adrenaline-filled tactical system response to threats and crisis. An organisation truly committed to embedding cyber security into its culture must enable the function to be at the heart of its leadership, and the CISO is the role to deliver this , by developing and implementing a cyber security strategy. A CISO is in many ways similar to a business’s CEO – whereby typically, the CEO is focused on dealing with high level strategic decisions, and with a focus on security, the CISO is dedicated to the creation and delivery of an overarching security strategy.
The Board has a responsibility to support and lead its CISO, to see him/her as both custodian and ambassador of the organisation’s cyber security strategies. It must demonstrate this buy-in through investment and tangible, top level security leadership. Fundamental to this is for the Board to give evidence of its belief by clearly giving the CISO its full backing. This will signal that the senior management team is serious about the businesses’ cyber security essentials, in order to enhance credibility amongst all employees, stakeholders and customers.
Commercial clout
In a market awash with contractors who excel at applying specific domain experience to distinct problems and challenges, there is palpable demand for CISO talent to be able to lead, and not just fix.
The balance between technical capability and authority, and high impact commercial change is hard for a CISO and its Board to achieve. An effective CISO must be pragmatic, with a vision and shared commercial ambition for the organisation’s well managed risk and security services, as this is the currency that enables improved commercial performance.
Security leaders with the innate curiosity to walk a mile in the shoes of their stakeholders and take these learnings into meaningful change and transformation, have an abundance of opportunity on the horizon.
To channel the increased breadth of influence, a successful CISO must be a determined strategic visionary with the right skills to engage from the Board, to stakeholders and the entire workforce. Equally important is the ability to communicate well, effectively, and convincingly, to motivate an organisation’s employees, to help each and every one of them understand the place they each have in the wider cyber security strategy, and to take an effective stand against cyber security attacks.
For more information, please contact Matt Cockbill, Partner in the CIO & Technology Officers Practice for Odgers Berndtson.
*This article first appeared in Digital Leaders in August 2019