Professional Documents
Culture Documents
Peer & Practitioner Research Published 2 November 2020 - ID G00735094 - 12 min read
Overview
Security and risk management leaders must focus on their personal effectiveness in order
to meet the expanding demands of their organizations. This research identifies four
distinct categories of behaviors and mindsets that differentiate top chief information
security officers (CISOs) from the rest. Finally, this research offers actionable steps toward
becoming more effective.
Key Findings
The most effective CISOs:
■ Are skilled executive influencers, future risk managers, workforce architects and
stress navigators.
■ Diligently manage their time by keeping firm boundaries between work/nonwork and
make time for personal development.
Recommendations
Security and risk management leaders, in particular CISOs, seeking to improve their
effectiveness should:
■ Monitor their workforce and address skills gaps with creative talent management
practices.
■ Manage personal stress by maintaining firm boundaries between work and private
life as well as focusing on the stressors within one’s control.
As enterprise digital ambitions grow, CISOs are finding the size and scope of their role
increasing as well. Gone are the days of only protecting servers and assessing IT risks.
Today’s CISOs are responsible for addressing compliance within fast-changing regulatory
landscapes, providing assurance about growing consumer concerns over product security
and thwarting unrelenting threats. Consequently, CISOs are feeling the strain of their remit,
are overloaded by security alerts and feel decision fatigue as they seek to position their
organizations for resilient growth.
However, effective CISOs are managing these changes. Top CISOs in the 2020 Gartner
CISO Effectiveness Survey are less likely to feel overwhelmed by alerts or stress at work
(see Figure 1). Being an effective CISO pays dividends to the organization in terms of
fewer project delays and business disruptions due to cybersecurity.
■ The Board of Directors (BoD) and Chief Executive Officer (CEO): These stakeholders
set the overall tone for the CISO’s role as a part of the broader executive team.
■ Chief Financial Officers (CFOs) and Chief Human Resource Officers (CHROs): These
stakeholders are now aggressively adopting automation and software as a service
to manage sensitive internal information.
■ Chief Data Officer (CDO): This stakeholder is tasked with identifying and monetizing
valuable enterprise data.
■ External Audit: This function can provide context into which regulations are
receiving increased scrutiny and are aware of changes in the baseline of due care.
■ Vendors: This group can provide insight into the latest threat intelligence and
available security solutions in the marketplace.
The skills required to be a CISO are evolving to keep pace with the changing demands of
the role; and being able to interact with a variety of stakeholders is now an essential skill.
Are CISOs Meeting Market Demand? A Benchmarking Report on What Organizations Look
for in a CISO and How Candidates Compare found the most-sought-after CISO skills were
not related to managing technology, but, rather, to communication and relationship-
building.
To learn more, read the full study from July 2019, Human Controls for AI Dangers
(SignatureValue Bank).
CISOs should focus on three objectives when it comes to developing security talent for the
future needs of the enterprise: (1) upskilling cybersecurity staff on business
competencies, (2) leveraging noncybersecurity staff creatively, and (3) developing a CISO
succession plan. These practices enable CISOs to increase the output and effectiveness
of their staff without having to hire additional full-time employees.
CISOs must take cybersecurity staff’s current competencies and the goals of the function
into account when planning staff development. Cybersecurity staff need to be business-
minded to help deliver security services in a manner that satisfies their internal customers.
The growing demands on cybersecurity require staff to be more adaptable to a variety of
business consumers and stakeholders. Beyond providing technical insight, cybersecurity
staff must be able to effectively partner with the business.
CISOs should also be looking beyond the function for ways to address the talent gap.
Some CISOs have developed methods of tapping into talent outside of cybersecurity by
using short “tours of duty” in cybersecurity. Hiring an internal employee for a short-term
tour of duty offers several advantages over bringing in a full-time cybersecurity employee.
These advantages include an expanded talent pool to hire from, cost savings and
attracting motivated candidates who have already demonstrated a cultural fit in the
broader organization.
Having a formal, actionable succession plan is a clear sign of an effective CISO. The
research found that 61% of top-performing CISOs had such a plan, compared to just 35%
of their peers. Having a succession plan not only supports the CISO and immediate team,
but it provides benefits to the organization as well. CISOs with succession plans are able
to align the cybersecurity function and talent strategy to long-term organizational strategy,
increase managerial potential across the cybersecurity function, and ensure strategic
continuity by making sure the CISO is not a single point of failure. Having multiple CISO
successor candidates provides a greater advantage over having a single “heir” to the CISO
throne. A multiple-successor strategy safeguards against the risks of attrition or
unanticipated difficulties with a candidate. All potential candidates should be evaluated
along the same set of criteria when being considered, and the top candidates should be
provided with stretch opportunities to help the CISO determine who is the best fit.
Many CISOs pursue effectiveness at the expense of their own personal well-being as
opposed to viewing their well-being as a critical performance driver. While stress
management comes in many different forms and manifests differently in people, there is
a common thread: those who are able to effectively manage their stress see significant
benefits in other areas of their life/work. CISO fatigue is a real challenge, but many have
been able to manage the stress by creating firm boundaries between work and nonwork
hours, proactively managing their calendars, and working with others in the organization
for support (see Gartner Peer Connect Perspectives: Analyzing CISO Fatigue). CISOs
should work to define their responsibilities from the onset of their work, and routinely
evaluate whether the projects they are involving themselves in are within scope. CISOs
should consistently reflect on their own effectiveness and whether they are managing
their personal stress as well as they could. While there is no secret to being an effective
CISO, living a relatively balanced life and being mindful goes a long way in supporting
effectiveness.
CISO Effectiveness: A Report on the Behaviors and Mindsets That Impact CISO
Effectiveness