IT experts rise to the rank of chief information security officer (CISO) because they have mastered the science and engineering involved in that discipline. But for a CISO to thrive, leadership skills are critical. And leadership is an art.
By Prasad Jayaraman, Principal, Advisory at KPMG
Blending the science of technology with the art of leadership is the challenge facing many CISOs, who are regularly thrust into the spotlight as companies continually deal with cybersecurity threats and events. Indeed, 81% of CISOs report to a firm’s board of directors at least annually; most do so every quarter.1
If that is not exactly what you signed up for when you got into computer science or IT, and you are feeling the stress of this high-profile position, you are not alone. The overwhelming majority of CISOs (88%) are “moderately” or “tremendously” stressed in their job – and why not? Two-thirds (66%) said their organization had at least one security breach in the past 12 months. Plus, they feel the pressure of performance, as 97% of their C-suite stakeholders believe IT security should deliver more value for the cost.2
While the demands on a CISO are considerable, the job can be more satisfying and less stressful when CISOs work to refine the “art” part of their responsibilities: leadership. And many of the leadership qualities and skills that can breed success (and less stress) for CISOs can be learned, practiced, and mastered.
Five CISO Leadership Attributes
As CISOs, CIOs, and other technology leaders gain more importance within organizations, they also undergo more scrutiny as expectations for their roles continue to rise and expand. Not only are they expected to guide and oversee a critical element of the business, but they also do this with the realization that their performance plays a key role in the organization’s reputation.
Central to their responsibilities is helping their organizations gain and maintain the trust of stakeholders, something we have coined as “The Trust Imperative.” The importance of this cannot be overstated. As we see it, trust is the ultimate business enabler. When enterprises inspire trust in all their stakeholders, they create a platform for better business performance – including responsible growth, bold innovation, and sustainable advances in performance and efficiency.
To succeed against this challenge, CISOs must inspire confidence, help strike a pragmatic balance between threat and opportunity, and demonstrate the ROI on their recommendations – in short, they must emerge as respected and integral company leaders. But trust is hard-earned and easily lost. And nothing will break trust faster than a security breach. This leaves the CISO in a precarious position, shouldering outsized responsibility for the organization’s brand affinity.At KPMG, we have delved deeply into the technology leadership arena and unearthed what we believe are five key attributes that make a CISO or other technology executive a strong and effective leader – one who will help the company earn the trust that stakeholders seek.
1. Create value. While CISO and related cybersecurity roles are primarily created to address compliance issues and security, that mindset is evolving. The C-suite demands all functions generate active value, and IT (or broader) security is no different. That requires a broad view of risk to the organization and the courage to make hard choices.
According to a KPMG survey,4 CEOs are well aware of the importance of digital technologies in creating value for the company. Indeed, about two-thirds said they had plans to invest in disruption detection and innovation processes to spur growth, demanding new approaches to managing data and information risk.
The key to this is determining the boundaries of digital security to enable growth and value without exposing the company to undue peril. CISOs who adroitly apply risk management to decision-making and recommendations will sync with their fellow business leaders.
2. Influence. While most corporate leaders have control of their budget and infrastructure, the CISO depends on others to implement and embed security policies and standards. Yet, even if your budget is “owned” elsewhere, you will be measured – and appreciated for – the influence you and your teams have on the company as it strives to keep cyber threats at bay.
You need to understand how and when to use your influence to motivate, enact change or propel a project forward. This requires some skillful maneuvering. If you can positively influence stakeholders with recommendations that will benefit the organization, your leadership will be respected, and your influence will grow. When you raise concerns, they will be listened to, treated seriously, and acted upon.
Influence is such a critical leadership attribute that the KPMG Executive Leadership Institute for Women devotes a course to this topic, but its principles apply to leaders of any gender.
3. Willingly collaborate. The days of the IT security team working stealthily in a dark room, with little interaction with business leaders, are long over. While CISOs may often be seen as “servant leaders,” as they put the needs of the business divisions they serve, their true value will stem from their ability to be seen as true partners with their C-suite colleagues. Those who develop and exercise collaboration skills will earn a seat at the decision-making table that extends well beyond cyber events.
Moreover, CISOs must extend their influence and integration abilities outside the company’s four walls. An organization is truly safe from cyber threats only if its broader ecosystem is. So forging relationships with vendors and partners is a critical aspect of CISO function – especially since 79% of CEOs say that protecting the partner system and supply chain is just as important as building the company’s cyber defenses.5
4. Top off your tech skills. Sure, technology acumen is a given for the CISO job, just as mastering accounting and finance is for the CFO. But it is imperative to stay on top of your game. Cybersecurity is a mercurial field, and CISOs must keep abreast of the latest technology developments, threats, and compliance issues; when it comes to IT and data security, no one likes surprises – and you will be in the hot seat if one emerges.
5. Become immersed in the business. The CISO ultimately exists to protect the organization and the data, which is its lifeblood. To be the most effective CISO leader, you require understanding of the nuances of technology as well as the nuances of the industry in which your firm competes. The more you understand the business, the more you will be able to weave cybersecurity into the company’s DNA.
CISOs must speak the language of the C-suite and learn how to navigate company politics. It is the only way to build trust, be involved in forming consensus, and ensure your fellow leaders fully recognize how strategic decisions impact – and are impacted by – digital technology and cybersecurity.
Build your Skills
So, now that we have identified some of the skills needed to be a successful CISO leader, the question remains: How do you acquire them?
That can be an especially vexing problem for IT natives who have little background in business management. But there are several tactics you can employ to acquire leadership techniques and the confidence to use of them.
An excellent place to start is to learn from more experienced leaders, be they in IT or other functional areas. Seek out a mentor, inside or outside your organization, who can serve as both a sounding board and a counselor as you face new and unfamiliar challenges.
It is also important to hone your communications skills further through one-on-one or group training sessions that focus on public speaking or interpersonal communications. Do not let shyness or an affinity for staying in the background disrupt your ability to lead effectively.
You may also seek the services of executive leadership training & development programs offered by universities or consultancies. The best programs cater to the busy, working executive with online options, or you can participate on evenings or weekends.
But most of all, you should seek to forge strong alliances with other business leaders in your organization, especially those in adjacent areas such as the top risk, digital, and information officers. These alliances are key to influencing, broader understanding, and to mutual challenge and support.
As a CISO, you may have embarked on a career path you were not anticipating. But if you embrace the challenge, honestly assess your strengths and weaknesses, and reach out for assistance to build your leadership muscle, you will earn your seat at the corporate decision-making table.
- Hitch Partners, 2021 CISO Survey
- Nominet, “The CISO Stress Report – Life Inside the Perimeter: One Year On,” 2020.
- Navisite, “The State of Cybersecurity Leadership and Readiness,” November 2021.
- KPMG 2021 CEO Outlook
About The Author
Prasad Jayaraman is a Principal in KPMG’s Advisory Services practice with more than 17 years of experience in identity management and a strong track record of performance in technology professional services organizations.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG, and CISO MAG does not assume any responsibility or liability for the same.