A study by Gartner identified behaviors demonstrated by top-performing CISOs. These behaviors involve the ways in which CISOs interact with executives, strategize, and handle operations. In this article, we will take a look at some behaviors of top-performing CISOs and discuss ways in which these behaviors can be achieved.
A look at the study
The measure of CISO effectiveness in the Gartner study is determined by a CISO’s ability to execute against a set of outcomes in four categories. These categories are: functional leadership, information security service delivery, scaled governance, and enterprise responsiveness. Top-performers are defined as the top-third cumulative scores from these four categories.
Gartner then looked at behaviors that were prevalently found among the top-performing CISOs. There were five behaviors they found where a large discrepancy existed between the top-performers and the bottom-performers.
Sourced from Gartner
An additional sixth behavior was also identified relating to stress management. The discrepancy between different efficacies of CISOs suggests that these behaviors may be often overlooked by lower-level performers. Overall, these behaviors demonstrate that effective CISOs take proactive measures to ensure best security practices. We will keep proactivity in mind as we discuss actionable steps CISOs can take to implement these behaviors
Behavior #1. Prioritize keeping decision-makers aware of current and potential future risks to the enterprise
Informing decision-makers about risks can be beneficial to your organization for multiple reasons. At the moment the majority of CISOs have limited interaction with the board of directors and executives.
Sourced from Security and the C-Suite
With a lack of communication comes inefficient incident response planning as well as inefficient allocation of budgets and resources. Having executives involved in incident response planning is a necessary step. They need to be informed of their roles in the process and ready to make critical business decisions when an incident does occur. This includes when to stop critical business functions and understanding what those critical functions are. Executive involvement is also important for business continuity in regards to when to resume those functions. They also will play a role in authorizing PR initiatives to mitigate reputational damage.
Getting executives involved in risk management strategy is known as Enterprise Risk Management. This strategy relies on executive involvement and having risk management be an enterprise wide effort. Another principle of this strategy is that it looks at how risks can effect the enterprise as a whole. Instead of just seeing cyber attacks as cybersecurity risks, ERM views regulatory risks, financial risks, cyber risks, operational risks, and compliance risks as all falling under one large umbrella- enterprise risks.
This strategy inherently rids companies of silos that make things like risk assessments and risk inventories difficult. It also allows for risks to be more accurately quantified into objective financial terms. When executives know the risks that exist and understand them in quantified terms they can more efficiently determine the appropriate security budget through seeing security as a ROI to combat those risks.
Behavior #2. Define risk appetite through collaboration with senior business decision makers
Boards who understand risks can then determine risk appetite in a responsible way that is beneficial to all stakeholders. As we have discussed, CISOs who communicate with the C-Suite will give decision makers a better understanding of risks through risk assessment and risk quantification. With this understanding comes the ability to be able to more appropriately define risk appetites.
Risk appetites will determine security budgets and which risks the organization deems are necessary (and financially beneficial) to address. Having cybersecurity leaders involved in this process may soon go from advisable to compulsory. The SEC is proposing rules that would make it mandatory for a cyber expert to be on the board of directors.
The SEC’s reasoning lies with the fact that stakeholders should understand risks that exists in the organization which they have a stake in, as well as what that organization is doing to manage those risks. Risk appetites will be both more public and under higher scrutiny than ever before. If stakeholders deem the organization to have too large of a risk appetite (where security measures are not adequate for the level of risk), they may begin to lose faith in that organization. This is why it is becoming increasingly important for CISOs to play a role in defining risk appetite – so that it is appropriate to the amount of risk that organization is exposed to.
Behavior #3. Initiate discussions on evolving norms to stay ahead of threats
The basics of cybersecurity may not change, but trends are constantly evolving. Community engagement can help individual cybersecurity leaders learn as well as help improve cybersecurity as a whole. Some examples of places where discussions can be held are discussed below.
- As restrictions have eased on COVID-19, in person conferences are once again starting. These can provide great opportunities to meet face to face and network with cybersecurity professionals of all kinds – blue hat, red hat, and vendors. It can be a good way to build and foster relationships with these other professionals.
- LinkedIn has proven to be a good place for professionals to make connections and start discussions. A recent article we posted on vendors’ pitches to CISOs looks at a couple of LinkedIn threads where CISOs and vendors alike pitch in to the conversation. These can be rich discussions open to the public.
- Here at PeerWise we are building a community catered specifically to cybersecurity professionals. We also allow for client engagement to drive future research to get the most up to date responses to your questions backed by data. We have put out budgeting reports looking at where security spending is going across all industries, as well as a report on what cyber leaders are doing to respond to increased threats from Russia.
Through interviewing cybersecurity professionals we have come across an opinion that many of them have voiced – an increase in information sharing between organizations would be beneficial to the cybersecurity industry. Most organizations opt to keep breaches and attacks as secret as possible.
Mike Jones, who has been working in the cyber field for decades, voiced this opinion in our recent interview. “But where we still haven’t made the shifts, and I think it’s the downfall of the industry, is people don’t want to admit their baby is ugly. So when they get breached, they don’t talk about it. And to me, that’s a fail. It’s a fail because if yes, you got breached, it’s probably bad. It’s probably a dumb mistake. But if you share the information with the next person or the next company they’re one foot up.
You want to build a strong, secure environment. And when I say environment, I’m not talking about your company or your network, I’m talking about cybersecurity as a whole. We’re only as strong as our weakest link. So if we don’t share the information to these people coming into cybersecurity from healthcare, from law enforcement, if we don’t share what we have and what we know we’re killing our own.”
While often this will be the executives’ decision to release data and not the CISOs, it is important to note that cyber leaders are increasingly putting pressure on this to happen. In the future an increased information share may be the norm.
Behavior #4. Proactively engage in securing emerging technologies
Just as it can be a helpful behavior to have conversations with other cybersecurity leaders, it can also be helpful to have discussions with vendors to find the best technologies. Discussions with CISOs can be a good place to see what their opinions on vendors are. But while this can help find established vendors, it makes it more difficult to find up and coming vendors with new solutions.
Our recent article on vendors sales pitches to CISOs shows this challenge from the vendor’s perspective. Cold calls are often vilified and are not always likely to work. Instead it can be beneficial for CISOs and vendors to engage in active discussions on cybersecurity. Through this open discussion CISOs can learn about vendor solutions, and vendors can educate the field on all the options that are available without it turning into a forced sales pitch.
David Spark, host of the CISO Series podcast, talks about CISOs going out to find vendors. “So, Allan Alford had done it one time and he kind of made it very public that he was dedicating, I think it was an hour a week, to just talk to vendors and setting up time to speak with them. It might have been actually more than that, actually. It seems great because it was a mechanism for him to educate himself. He was sort of filtering what he did and didn’t want to speak to.” While the CISO position is an extremely busy one and often there will not be much time to go vendor shopping, any way you can find to engage with the community can be beneficial.
Behavior #5. Have a formal and actionable succession plan
There is a very high turnover rate for CISOs. The average tenure of a CISO is 18-26 months and almost a quarter leave in the first year. Only 27% of CISOs stay at their company for 3-5 years. Succession planning allows for business continuity when CISOs leave – either on their own prerogative or the companies, and whether it is a long planned decision or not. It helps the company stay above water, and not having one can negatively impact the CISOs professional reputation. At the moment it takes an average of 6-12 months for companies to recruit a CISO. A lag between CISOs can prove disastrous for organizations should they suffer a cyberattack in that time.
An actionable succession plan should exist as a document that is presented to executives. The plan should include documentation of the current CISOs roles, responsibilities, and future goals. It should also include attributes to look for in a candidate. The goal is to have narrowed down who successors may be before the CISO leaves, and then make it as easy as possible for the new CISO to take over.
There needs to be direct involvement by the CISO in making this plan because they know more than anyone about the position. Without a succession plan, the current CISOs strategy may not be fully understood or realized by the successor. The current CISO also knows their roles and likely has the best insight into what attributes and criteria to look for in their successor.
Statistics can give an idea on some of the attributes that can make a good replacement. A recent Kudelski Security report found 82% of CISOs interviewed say communications skills are critical versus just 52% who believe hands-on experience in technologies is critical. If a successor may not have been a CISO in the past, the same report found the highest percent of respondents say governance, risk and compliance positions are the best pre-CISO role.
It can be beneficial to look inside an organization for a successor (as the employee will already be familiar with the security architecture of the organization), but currently two-thirds of CISO hires come from outside of the company. Regardless of where the CISO comes from, it is important to have more than one candidate for the job in mind. The high turnover rate of CISOs means that businesses everywhere are going to be on the market for a new CISO sooner rather than later.
Behavior #6. CISOs who performed best were better at managing stress
An additional behavior Gartner found that was prevalent among top-performing CISOs was that they were able to better manage stress. From the study, 27% of top-performing CISOs feel overloaded with security alerts, compared with 62% of bottom performers. Less than a third of top performers feel that they face unrealistic expectations from stakeholders, compared with half of bottom-performing CISOs.
While there are several causes of CISO turnover, one cause is due to burnout. The CISO position is one of extremely high stress. Many CISOs report difficult work life balances and having too many responsibilities. On top of that CISOs in some ways hold the fate of the company in their hands. They are often blamed when a cyberattack does damage to their organization – and are just as often fired for it.
On measuring stress Rich Mogull, CEO at Securosis, says, “There are three measures on the Maslach Burnout Inventory. There is exhaustion — the more exhaustion, the more it is an indicator of burnout. Next is cynicism — not skepticism, but a cynical, negative outlook on things. The third is perceived self-efficiency, which is: Am I making a difference?”
Identifying stress is the first step to working to remediating it. Unfortunately, some CISOs may cope with stress in unhealthy ways. A study found that 24 percent of CISO respondents say they are self-medicating with drugs, alcohol, narcotics or prescription medication. Healthy avenues for stress management should be pursued for long term health and wellness.
Sam Olyaei, research director at Gartner, says “As the CISO role becomes increasingly demanding, the most effective security leaders are those who can manage the stressors that they face daily. Actions such as keeping a clear distinction between work and nonwork, setting explicit expectations with stakeholders, and delegating or automating tasks are essential for enabling CISOs to function at a high level.”
It is important that CISOs do all they can to manage stress, not only for their job security but for their overall wellbeing. Steps such as keeping work separate from home life and finding ways to automate work tasks can help improve stress levels. Of course, to some degree company culture will play a role in stress. A toxic work environment can lead to burnout. The job market is hot for CISOs, and with huge turnover rates, companies may start to realize that something needs to be done to retain these employees.
Leave a Reply