CISO LEADERSHIP AUTOPSY

RoshdiAOsman small

It’s a disconnect that speaks volumes about the current relationship between information security and the corporate board: according to a study by ISACA, 82 percent of cybersecurity and information security professionals report that their board of directors is concerned or very concerned about cybersecurity. Yet only one in seven Chief Information Security Officers (CISOs) report directly to the CEO—a paltry 14 percent.

Why aren’t more CISOs getting seats at the leadership table? In some respects, we have ourselves to blame. The prevailing perception is that the role of the CISO is a technical position, not a leadership position. While CISO leadership can be exercised at any level within the organization, the disconnect between the board concerns about security and the CISO reporting lines can, in many cases, be attributed to a general lack of leadership skills on the part of security professionals. If that’s to change, it’s up to us to change it.

Unfortunately, as a skill set, leadership for security professionals remains largely an uncharted territory. A quick search on Amazon reveals that most books on information security are either technical in nature or centered on certification. While there’s no shortage of articles and blogs that advocate for a direct reporting line to the CEO and the inclusion of the CISO into the board room, there are very few authors who deal with the subject of CISO leadership. For those of us with a passion for leadership and devotion to information security, this is an unfortunate, unacceptable dynamic, and my hope is that this ongoing blog be considered a resource towards transforming the current CISO leadership state of affairs.

If today’s CISO is to seriously contemplate his potential leadership role in the corporate world and his ability to bring about long lasting changes to his organization, it’s imperative that he starts out by understanding his current level of leadership. From my experience in various security leadership positions in the information security domain, I have found that an especially valuable way to measure the level of CISO effectiveness within the organization is to leverage New York Times best-selling author John Maxwell’s five levels of leadership. In The 5 Levels of Leadership: Proven Steps to Maximize Your Potential (Center Street, 2013), Maxwell identifies the levels that a true leader transcends to ultimately reach his or her highest level of effectiveness.

In applying these levels to the world of corporate security, it becomes apparent that many CISOs are stuck on the bottom level—position leadership. They’re leaders by title only; any authority they have comes from their position within the organization. CISOs in the position leadership level tend to fall back on regulatory and compliance mandates for securing their organizations. They’re not generally keen on working with others to provide solutions, seeing security as a rather black-and-white proposition instead of the risk management function that it really is. Security is viewed as a zero-sum game for CISOs at the position leadership level. They define their role by what they oppose instead of what they can offer as alternative solutions. Consequently, they become regarded more as show stoppers than business enablers. Security becomes perceived by others in the organization as a box to be checked at best, and as a hindrance to be circumvented at worst.

At the second level of leadership—permission leadership—the CISO better understands the importance of developing relationships within the organization. He understands that security is much more than just its mere technical aspects. It’s about working with others, to build consensus towards shared goals. CISOs at this level have a working grasp of the organization’s objectives, and they work to align the organization’s security initiatives with them. Security is no longer a zero-sum game at the permission level. A CISO at this leadership level can empathize with the needs of others and rather than keeping himself at arms’ length, he builds support and alliances. He understands the power of what professor and author Rohit Bhargava terms “likeonomics”—the ability to earn trust and influence the behavior of others.

CISOs at the third level—production leadership—have proven track records. They’ve gotten results and gone beyond relationship-building to consistently deliver on their promises. They’re recognized by their organizations as dependable and trustworthy. They’re business enablers and security is no longer a show-stopper. In fact, CISOs at this level are actually change agents, they rely on their strong understanding of business drivers and knowledge in their domain to successfully transform the way their organizations think and react to security. Security under the CISO at the production leadership level is well-integrated into business process and technical development.

At the fourth leadership level—people development—the CISO understands that his effectiveness in the organization is not measured by the implementation of IT security controls, but rather by his ability to influence the organization and bring about a security conscious culture. The CISO at this level sees the big picture and rightfully focuses on changing the environment around him to a much more security minded environment. His passion towards his field becomes contagious as a result of his strong relationships within the organization and his proven results. The CISO at the people development level has earned the right to evangelize, and the organization, in turn, reacts to him by making security everyone’s business.

Finally, there’s the pinnacle level. CISOs at this level think beyond intra-organizational concerns. Their impact moves from aligning security with business objectives to making security part of the overall corporate business strategy. Security is transformed by a level five CISO from its fundamental nature of being a trade-off into a competitive advantage.

Now, more than ever, leadership for the CISO is becoming a critical skill. Today, we are facing more threats in cyberspace than ever before, the impact of which can bring down entire organizations. The CISOs who prevail will be the ones who face these challenges by understanding the importance of developing their leadership skills. The indispensable CISO will be the one with the ability to influence his organization at all levels, beyond just the implementation of IT security controls. And thereby earning him a seat at the corporate leadership table.

by Roshdi Osman
in Blog
Hits: 1348