What Makes CISOs Successful?

The chief information security officer (CISO) role has evolved over the past few years from tactical IT manager to strategic business executive. Given this transition, what qualities are most important for making CISOs successful?

To answer this question, I went back to the data from last year’s research report from ESG and the information systems security association (ISSA). I then cut the data by respondent’s role to understand what CISOs think is most important. (Note: I am employee of ESG.)

The data reveals that:

  • 54% of CISOs believe CISO success depends upon leadership skills. In this case, CISOs must lead their organization by educating them on cyber-risk, creating a tailored awareness training program, and establishing a cybersecurity culture from top to bottom.
  • 49% of CISOs believe CISO success depends upon communications skills. CISOs must be able to articulate “in the weeds” topics such as software vulnerabilities, threat intelligence, and encryption in a way that business folks can internalize, poke at, and take action upon. Furthermore, CISOs interface with a wide range of constituencies – legal, HR, law enforcement, auditors, partners, etc. The gift of gab is certainly useful here. 
  • 44% of CISOs believe CISO success depends upon a strong relationship with business executives. If the business people are active, engaged, and treat the CISO as an equal, CISOs have the right foundation for success. If this is not the case, CISOs tend to find greener pastures. 
  • 33% of CISOs believe CISO success depends upon management skills. I’m a bit surprised that this is further down the list, but my guess is that managing the security staff is often delegated to direct reports, while CISOs focus on risk management and working with business executives.
  • 21% of CISOs believe CISO success depends upon technical skills. This metric alone really demonstrates how much the CISO position has changed over the past few years. In the old days, CISOs tended to work their way up through IT and cybersecurity departments before assuming oversight of antivirus software, firewalls, and meeting regulatory compliance mandates. Now, CISOs lean much more heavily toward the business.

A few closing comments: