Five behaviors that make highly effective CISOs stand out

In a world where digital transformation is rapidly creating new opportunities but simultaneously new challenges, the required skills and roles of cybersecurity executives, such as Chief Information Security Officers (CISOs), are also changing.

Of course, this is not so much about the “new” opportunities and challenges (alone) but about the crucial place digital technologies have in today’s digital business and economies where digitization and digitalization created a situation where cybersecurity is an essential business matter.

Chief Information Security Officer concept

Consequently, the role of CISOs has increasingly become one of collaboration with business executives, and they are often in the boardroom now that cybersecurity is more related than ever to growth, enterprise risk management, business continuity, compliance, work, and competitiveness. However, not everyone agrees on whether information security gets the attention it needs and deserves from the board. The answers tend to differ between IT/security executives and business execs, a perception – and reality – gap that’s been around for quite some time.

CISOs and the need to develop professionally

Still, everyone will agree that it is essential for CISOs to keep abreast of significant evolutions regarding regulations, cyber threats, and information security. And there have been quite a few evolutions in these areas in recent years.

Take some cyber risk evolutions concerning organizations’ ever-increasing digital footprint and attack surface with more attention to third-party risk management and software supply chain attacks. Or the prevalence of cloud computing and an increasing need for security consolidation and integration whereby all aspects of the cloud come into the picture, including the cloud-native application lifecycle (see the growing importance of the cloud application protection platform).

“Non-IT functions are key partners that can take technology and cybersecurity decisions outside of IT. By setting aside dedicated time to build relationships with senior business decision-makers across the enterprise, CISOs can cultivate an environment where decision makers understand and care about cybersecurity, as well as consider cybersecurity implications in their decision making.” (Chiara Girardi, Senior Principal, Research at Gartner)

We also had the rise of remote and hybrid working models, the growth of Ransomware-as-a-Service, the convergence of IT and OT (an essential aspect of Industry 4.0), and so on. And then, of course, there is the need to evolve from a reactive to a more proactive cybersecurity approach. At the same time, there is still a gap in terms of “human” security expertise and skilled security people as automation continues to increase.

CISOs constantly need to make decisions concerning people, tools, and technologies so that the companies they represent meaningfully invest in the right resources to best protect their assets, including data and customers. And in today’s organizations, resilience – including cyber resilience – is a top priority amidst all those mentioned and far more evolutions.

As cybersecurity and the role of the CISO continue to evolve rapidly, it seems logical that a good CISO should continue to develop professionally in the many areas that matter. And that’s what they seem to do in practice, albeit some more than others, whereby those who take more time for their personal development also seem to be better-performing CISOs.

“Developing new skills and knowledge as the role changes is essential to effectively serve as a strategic advisor to the business – the new CISO paradigm.” (Chiara Girardi, Senior Principal, Research at Gartner)

According to a survey by Gartner, 69 percent of “top-performing” Chief Information Security Officers foresee the necessary recurring time on their calendars for personal professional development. Looking at bottom-performing CISOs, only 36 percent of them do the same. Gartner concludes that dedicating regularly occurring time for professional development activities is a game-changing behavior for effective CISOs.

High-performing CISOs initiate discussions and are proactive while connecting with senior business executives

And there are more. Gartner sums up a total of five of these game-changing behaviors. While regularly dedicating time to professional development activities is a behavior stated by 69 percent of the top CISOs surveyed, even more CISOs exhibit another behavior at 77 percent of all respondents.

However, the bottom third displays this behavior more than dedicating time to professional development too. We’re talking about “initiating discussions on evolving security norms to stay ahead of threats,” as you can see in the illustration with the five key game-changing behaviors of top-performing CISOs, according to Gartner, below.

As Chiara Girardi, Senior Principal, Research at Gartner, states, “the most effective CISOs stay apprised of existing and emerging risks so they can provide leadership with context around the most significant threats facing the business, to influence investments and risk decisions accordingly.”

CISO leadership – effective CISOs top 5 game-changing behaviors – source Gartner

Also noteworthy: 63 percent of top-performing CISOs “proactively engage in securing emerging technologies like artificial intelligence (AI), machine learning (ML) and blockchain, compared with just 38 percent of bottom-performing CISOs”.

In this context, it shouldn’t be forgotten that the list of emerging technologies can be extended for organizations and isn’t just about the latest trends and evolutions. Many Industry 4.0 technologies, for instance, are still emerging for many organizations, even if they’ve been around for some time. On the other hand, some of those that need to be discussed are probably far more recent because of their potential impact, the speed at which they get adopted and, let’s face it, the hype surrounding them to some extent. Yes, Generative AI is one of them.

Another one that needs to be pointed out is enterprise risk and, more specifically, the definition of enterprise risk appetite with senior business decision-makers in a collaborative way. That’s a topic we’ll dive deeper into later in the context of risk management and cyber risk. Finally, building relationships with senior business decision-makers helps CISOs be more performant, certainly when that happens outside of the context of projects too.

More comments and findings here and in Gartner’s “Key Behaviors Driving CISO Effectiveness.” You can also download Gartner’s eBook “Four Facets of Effective CISO Leadership.”