The Rapidly Changing Role of the CISO
The rapidly changing role of the Chief Information Security Officer (CISO) is usually described by broad trends that are scarce on specifics. Actionable distinctions about CISO responsibilities and the skills required to master them have been identified by leading executive recruiters. These same distinctions go beyond staffing, however, to describe behaviors that increase overall information security (InfoSec) maturity. Our goal is to provide input useful to a CISO planning new strategies, to a CIO responsible for InfoSec and to a CEO or board director working to match resources to the business risk.
Within the red hot InfoSec talent pool, the demand for leaders in the CISO role is white hot. The momentum continues to build as the CISO becomes the focal point for InfoSec in most larger businesses. Several leading executive assessment and recruiting firms have accumulated a body of knowledge to create better matches.1,2,3,4
The aggregate has a clear message: “There may be (paradoxically enough) an overemphasis on cyber qualifications.” 1 and “as the role gets harder,… ‘soft stuff’ matters more.”2
The most actionable material we’ve found is the 2016 whitepaper Cyber Security: What level of Chief Information Security Officer do you need? 3 by Russell Reynolds Associates which builds on a 2014 article, New Threats, New Leadership Requirements: Rethinking the Role and Capabilities of the Chief Information Security Officer.2 . It draws on their experience with numerous placements to offer a framework for analyzing both the needs of your organization and the skills required to meet them.
Questions provided can be a self-test needs assessment. Grounded in the four implementation maturity tiers (partial, informed, repeatable, adaptive) used by the National Institute of Standards and Technology (NIST) 5, the paper illustrates the factors that start to outline the right match.
Leveraging the same NIST maturity tiers, the paper sketches four levels of CISO performance. The framework offers specifics including job expectations, a list of leadership competencies and observable behaviors. CISO performance expectations are rated as “weak, average, or strong” for each of the 4 levels. While less detailed in their description, the search firms of Heidrick & Struggles1 and Spencer Stuart4 present very similar themes about the correlation between high performance and stronger skills in strategy, communication, collaboration, influence and the ability to work with the C-suite and board.
Useful Distinctions for InfoSec Maturity
These useful distinctions are based on many more CISO assessments and searches than most individual leaders have the opportunity to experience first-hand. As Russell Reynolds points out, not every organization needs a level 4 CISO yet the distinctions offered in these analyses go beyond staffing; they also characterize the standards and behaviors needed to increase InfoSec maturity in an enterprise.
“Yes, and” solutions
As the cited resources are executive search firms, they focus on your next hire.
SecuriThink “yes, and” solutions leverage what’s already working in your business. We’ve pointed out that, yes, these distinctions apply to staffing and also to the behaviors that characterize higher InfoSec maturity overall. As this pertains to staffing, yes, maturity can be hired, and it can also be developed from within your existing team.
If your enterprise has an InfoSec group stronger on technology than “soft skills”, consider complimenting that strength. The potential of SecuriThink methodology is to make culture a force multiplier for InfoSec. We partner with InfoSec leaders that are ready to make their technology strengths more “consumable” across the enterprise as well as up to the C-suite and the board. We help those organizations that are ready for readiness experience a smoother transition.
Sometimes the best match and most leverage comes from supporting and developing resources already in place. Even a Level 4 CISO can use extra capacity now and again.
- Four mistakes to avoid when hiring your next security chief. Heidrick & Struggles. 2015
- New Threats, New Leadership Requirements: Rethinking the Role and Capabilities of the Chief Information Security Officer. Russell Reynolds Associates. 2014
- Cyber Security: What level of Chief Information Security Officer do you need? Russell Reynolds Associates. 2016
- An Expert Perspective: Art Coviello on the Board’s Role in Cybersecurity. Spencer Stuart. 2015
- Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology.
More Field Notes
Experience shows that focusing on Level 3+ results from the outset yields a much more powerful outcome while also making the project easier and less risky.
Leverage our lessons learned to make your project easier using the SecuriThink Data Classification Complexity Scale.
Rally C-suite ownership with a compelling business case for change
Managing across the enterprise for new security habits
Quick Start the project, cross-train client team, manage risk
23 Workstreams over 2 years deployed many technologies and policy changes in support of a “Defense In Depth” InfoSec strategy
Behavior change and more leverage from Security Education and Awareness (SEA)
Reduce technical support with appropriate employee engagement
Minimize business impact and technical support requirements
High security computer-based test centers