The Roadmap to CISO Effectiveness

Peer & Practitioner Research Published 2 November 2020 - ID G00735094 - 12 min read

By Analyst(s): Information Risk Research Team

Initiatives: Security and Risk Management Leaders

Security and risk management leaders focus on running effective

functions, but rarely spend similar effort focusing on their personal
effectiveness. This study highlights the behaviors and mindsets
differentiating top CISOs and provides tactical guidance on how to
boost personal effectiveness.

Overview
Security and risk management leaders must focus on their personal effectiveness in order
to meet the expanding demands of their organizations. This research identifies four
distinct categories of behaviors and mindsets that differentiate top chief information
security officers (CISOs) from the rest. Finally, this research offers actionable steps toward
becoming more effective.

Key Findings
The most effective CISOs:

■ Are skilled executive influencers, future risk managers, workforce architects and
stress navigators.

■ Target specific executive stakeholders with a definite meeting cadence.

■ Actively develop their team by focusing on diverse competencies, addressing talent

gaps with nonsecurity resources and developing CISO succession plans.

■ Diligently manage their time by keeping firm boundaries between work/nonwork and
make time for personal development.

Recommendations
Security and risk management leaders, in particular CISOs, seeking to improve their
effectiveness should:

Gartner, Inc. | G00735094 Page 1 of 14

This research note is restricted to the personal use of .

■ Emphasize relationship-building with senior leadership outside of IT across the
enterprise, particularly outside the context of projects.

■ Proactively identify and manage future risks to the organization by informing

decision makers about new security norms and technologies and proactively
securing business use of AI.

■ Monitor their workforce and address skills gaps with creative talent management
practices.

■ Manage personal stress by maintaining firm boundaries between work and private
life as well as focusing on the stressors within one’s control.

CISO Effectiveness and Why It Matters

The pace at which the world is digitizing is not slowing down. In fact, the 2020 Gartner
View From the Board of Directors Survey shows 69% are pushing the acceleration of
digital initiatives to remain competitive (see Understand the Board’s Priorities and How
They Shifted in 2020). As a result, leading CISOs recognize they must adapt their role to
protect and enable enterprise goals.

As enterprise digital ambitions grow, CISOs are finding the size and scope of their role
increasing as well. Gone are the days of only protecting servers and assessing IT risks.
Today’s CISOs are responsible for addressing compliance within fast-changing regulatory
landscapes, providing assurance about growing consumer concerns over product security
and thwarting unrelenting threats. Consequently, CISOs are feeling the strain of their remit,
are overloaded by security alerts and feel decision fatigue as they seek to position their
organizations for resilient growth.

However, effective CISOs are managing these changes. Top CISOs in the 2020 Gartner
CISO Effectiveness Survey are less likely to feel overwhelmed by alerts or stress at work
(see Figure 1). Being an effective CISO pays dividends to the organization in terms of
fewer project delays and business disruptions due to cybersecurity.

Gartner, Inc. | G00735094 Page 2 of 14

This research note is restricted to the personal use of .

Figure 1: Benefits of CISO Effectiveness

Outcomes of Effective CISOs

Gartner’s CISO effectiveness measure is determined by the CISO’s ability to execute
against a set of outcomes in the categories shown on Figure 2. (See CISO Effectiveness: A
Report on the Behaviors and Mindsets That Impact CISO Effectiveness.) Note that it is
difficult to execute on all outcomes, with the data showing as few as 12% of all CISOs
execute against all four.

Gartner, Inc. | G00735094 Page 3 of 14

This research note is restricted to the personal use of .

Figure 2: CISO Effectiveness Measure

1. Functional Leadership: Effective team leadership in meeting functional objectives.

As the leader of the cybersecurity function, CISOs’ functional leadership is table
stakes when it comes to overall effectiveness.

2. Information Security Service Delivery: Effective delivery of quality services in

support of business objectives. With virtually every business capability today
enabled by technology, CISOs must not only protect their organization, but also help
it meet its objectives.

3. Scaled Governance: Ability to increase cooperation with cybersecurity

recommendations. Distributed decision making has expanded the volume and
variety of information risk decisions to support, so CISOs need to be able to scale
governance to meet the demand.

Gartner, Inc. | G00735094 Page 4 of 14

This research note is restricted to the personal use of .

 4. Enterprise Responsiveness: Ability to sensitize the enterprise to the role and
importance of cybersecurity. CISOs must cultivate an environment where decision
makers understand and care about cybersecurity and consider cybersecurity
implications in their decision making.

The Four Facets of Effective CISOs

CISOs are expected to have a broad skill set due to the changing demands of the
enterprise. Our research found 14 controllable variables positively correlated with CISO
effectiveness. These variables fall into four categories of behaviors and mindsets that
differentiate effective CISOs from their peers. The categories are referred to as “facets” of
effective CISOs. These facets can be seen within the hexagons in Figure 3. They are: (1)
Executive Influencer, (2) Future-Risk Manager, (3) Workforce Architect, and (4) Stress
Navigator.

Figure 3: Categorization of the 14 Controllable Differentiators of CISO Effectiveness

Facet One: Executive Influencer

Gartner, Inc. | G00735094 Page 5 of 14

This research note is restricted to the personal use of .

Effective CISOs make it a point to regularly interact with executives outside of corporate IT
because they are aware of the influence these executives have on security’s effectiveness.
They seek to nurture meaningful relationships with these executives outside the context of
projects, collaborating on risk appetite and influencing enterprise-level decisions by
clarifying information risk trade-offs. These CISOs also see networking opportunities as
essential, viewing their relationships with other CISOs as core to their success.

Figure 4: Executive Influencer

Gartner, Inc. | G00735094 Page 6 of 14

This research note is restricted to the personal use of .

Our research highlights the importance of building relationships with senior executives.
But which stakeholders, out of the dozens of potentially important ones, should CISOs
prioritize? The survey shows that the IT stakeholders CISOs traditionally prioritize are not
significantly correlated with effectiveness. These stakeholders still matter, but CISOs
should not prioritize these interactions. Everyone needs to meet with IT stakeholders, and
most are doing so, but CISOs need to learn how to optimize these engagements for
efficiency. Our analysis revealed meeting with several non-IT stakeholders correlates
positively with CISO effectiveness. These stakeholders possess unique insight about
future business strategies, initiatives and technologies. These are the non-IT stakeholders
positively correlating with CISO effectiveness:

■ The Board of Directors (BoD) and Chief Executive Officer (CEO): These stakeholders
set the overall tone for the CISO’s role as a part of the broader executive team.

■ Chief Financial Officers (CFOs) and Chief Human Resource Officers (CHROs): These
stakeholders are now aggressively adopting automation and software as a service
to manage sensitive internal information.

■ Chief Data Officer (CDO): This stakeholder is tasked with identifying and monetizing
valuable enterprise data.

■ Heads of Marketing, Sales and/or Communication: These stakeholders are closest

to the consumer, enabling them to provide the CISO with the consumer’s perspective.
CISOs tend to undervalue marketing, sales and communications, but these areas
yield insight into customer behavior and engagement with products.

■ External Audit: This function can provide context into which regulations are
receiving increased scrutiny and are aware of changes in the baseline of due care.

■ Vendors: This group can provide insight into the latest threat intelligence and
available security solutions in the marketplace.

The skills required to be a CISO are evolving to keep pace with the changing demands of
the role; and being able to interact with a variety of stakeholders is now an essential skill.
Are CISOs Meeting Market Demand? A Benchmarking Report on What Organizations Look
for in a CISO and How Candidates Compare found the most-sought-after CISO skills were
not related to managing technology, but, rather, to communication and relationship-
building.

Gartner, Inc. | G00735094 Page 7 of 14

This research note is restricted to the personal use of .

Are CISOs Meeting Market Demand? A Benchmarking Report on What Organizations Look
for in a CISO and How Candidates CompareOur analysis of numerous CISO job postings
at major companies found the most-sought-after skills were not cybersecurity-specific,
but instead were items like communication (50%), leadership (39%) and strategic
planning (37%).

Facet Two: Future Risk Manager

Effective CISOs also serve as future risk managers by positioning information risk
management as an accelerator of emerging technology adoption in the organization.
They inform senior decision makers of new security norms and technologies, making
them aware of future risks and developing automation strategies to prepare the
organization.

Figure 5: Future Risk Manager

Gartner, Inc. | G00735094 Page 8 of 14

This research note is restricted to the personal use of .

When it comes to new technology, CEOs anticipate artificial intelligence (AI) will have the
greatest impact on their organizations. 2020 Gartner CEO Survey: The Year of Recession
found nearly one-third of CEOs believe AI will most significantly impact their industries
over the next three years. As such, leading CISOs are proactively securing business use of
AI. SignatureValue* is one example of how securing AI led to better outcomes for the
business.

Case in Point: SignatureValue*

SignatureValue Bank wanted to solve the problem of

identifying and mitigating the predictions of AI models that
can lead to bad business outcomes. SignatureValue Bank created security controls to
prevent AI applications from creating dangerous data combinations or making
predictions that harm the business.

To learn more, read the full study from July 2019, Human Controls for AI Dangers
(SignatureValue Bank).

Facet Three: Workforce Architect

Effective CISOs have a future-focused talent strategy to meet the rising skills needs of the
enterprise. They have formal, actionable succession plans that enable organizations to
advance toward future objectives. These practices result in the overall security workforce
being better prepared for challenges, such as the well-documented security talent shortage
nearly every organization is coping with.

Gartner, Inc. | G00735094 Page 9 of 14

This research note is restricted to the personal use of .

Figure 6: Workforce Architect

CISOs should focus on three objectives when it comes to developing security talent for the
future needs of the enterprise: (1) upskilling cybersecurity staff on business
competencies, (2) leveraging noncybersecurity staff creatively, and (3) developing a CISO
succession plan. These practices enable CISOs to increase the output and effectiveness
of their staff without having to hire additional full-time employees.

1. Upskill Security Staff on Business Competencies

CISOs must take cybersecurity staff’s current competencies and the goals of the function
into account when planning staff development. Cybersecurity staff need to be business-
minded to help deliver security services in a manner that satisfies their internal customers.
The growing demands on cybersecurity require staff to be more adaptable to a variety of
business consumers and stakeholders. Beyond providing technical insight, cybersecurity
staff must be able to effectively partner with the business.

Gartner, Inc. | G00735094 Page 10 of 14

This research note is restricted to the personal use of .

Unfortunately, many cybersecurity employees are not properly motivated to develop in
these nontechnical areas because they are not measured by them. Setting development
goals for employees in technical and nontechnical growth dimensions helps to ensure
they become more capable of handling rapid enterprise change. These growth dimensions
should include leadership ability, technical expertise, interpersonal skills and
organizational awareness.

2. Leverage Talent Outside of the Program

CISOs should also be looking beyond the function for ways to address the talent gap.
Some CISOs have developed methods of tapping into talent outside of cybersecurity by
using short “tours of duty” in cybersecurity. Hiring an internal employee for a short-term
tour of duty offers several advantages over bringing in a full-time cybersecurity employee.
These advantages include an expanded talent pool to hire from, cost savings and
attracting motivated candidates who have already demonstrated a cultural fit in the
broader organization.

3. Develop a Thorough and Effective CISO Succession Plan

Having a formal, actionable succession plan is a clear sign of an effective CISO. The
research found that 61% of top-performing CISOs had such a plan, compared to just 35%
of their peers. Having a succession plan not only supports the CISO and immediate team,
but it provides benefits to the organization as well. CISOs with succession plans are able
to align the cybersecurity function and talent strategy to long-term organizational strategy,
increase managerial potential across the cybersecurity function, and ensure strategic
continuity by making sure the CISO is not a single point of failure. Having multiple CISO
successor candidates provides a greater advantage over having a single “heir” to the CISO
throne. A multiple-successor strategy safeguards against the risks of attrition or
unanticipated difficulties with a candidate. All potential candidates should be evaluated
along the same set of criteria when being considered, and the top candidates should be
provided with stretch opportunities to help the CISO determine who is the best fit.

Facet Four: Stress Navigator

All CISOs face stress in their role, but the most effective ones are able to exert agency over
their stressors. These CISOs are able to maintain rigid boundaries between their working
hours and their personal time. Only a small portion of effective CISOs are successfully
managing their stress. While individual stress management methods may vary, this is an
area requiring deeper attention across the discipline.

Gartner, Inc. | G00735094 Page 11 of 14

This research note is restricted to the personal use of .

Figure 7: Stress Navigator

Many CISOs pursue effectiveness at the expense of their own personal well-being as
opposed to viewing their well-being as a critical performance driver. While stress
management comes in many different forms and manifests differently in people, there is
a common thread: those who are able to effectively manage their stress see significant
benefits in other areas of their life/work. CISO fatigue is a real challenge, but many have
been able to manage the stress by creating firm boundaries between work and nonwork
hours, proactively managing their calendars, and working with others in the organization
for support (see Gartner Peer Connect Perspectives: Analyzing CISO Fatigue). CISOs
should work to define their responsibilities from the onset of their work, and routinely
evaluate whether the projects they are involving themselves in are within scope. CISOs
should consistently reflect on their own effectiveness and whether they are managing
their personal stress as well as they could. While there is no secret to being an effective
CISO, living a relatively balanced life and being mindful goes a long way in supporting
effectiveness.

Gartner, Inc. | G00735094 Page 12 of 14

This research note is restricted to the personal use of .

Conclusion
CISOs must focus on their personal effectiveness as their roles continue to expand and
they play a more critical part in shaping the overall direction of the organization. The CISO
role is moving into uncharted territory, and CISOs should respond by focusing on what is
controllable: their own behaviors and mindsets. Leading CISOs align their actions to the
specific outcomes outlined in Gartner’s CISO effectiveness index. They embrace the
changes happening to the CISO role and prioritize their stakeholder engagements, future
technology and risk, a forward-looking talent strategy, and stress management. CISOs
who are able to pair this outlook with the other behaviors and mindsets outlined in this
research should expect to maintain, and even increase, their personal effectiveness for
years to come.

Recommended by the Authors

Are CISOs Meeting Market Demand? A Benchmarking Report on What Organizations Look
for in a CISO and How Candidates Compare

CISO Effectiveness: A Report on the Behaviors and Mindsets That Impact CISO
Effectiveness

Do Breaches Really Shorten a CISO’s Tenure? A Debunking of the Myth

About This Research

The Information Risk Research Team collaborated extensively with global Gartner experts
and hundreds of CISOs, between the survey and interviews, to ensure a rich, executive-
oriented view of CISO effectiveness. The research team tested 60 different behaviors and
mindsets, background traits, and organizational factors against the effectiveness index,
and conducted a gap analysis between top and bottom thirds of the sample. The analysis
is based on the characteristics differentiating effective CISOs. The top-performing third of
CISOs in the sample were categorized as the most effective. The data from the 2020
Gartner CISO Effectiveness Survey can be read in CISO Effectiveness: A Report on the
Behaviors and Mindsets That Impact CISO Effectiveness.

Gartner, Inc. | G00735094 Page 13 of 14

This research note is restricted to the personal use of .

© 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research
organization, which should not be construed as statements of fact. While the information contained in
this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties
as to the accuracy, completeness or adequacy of such information. Although Gartner research may
address legal and financial issues, Gartner does not provide legal or investment advice and its research
should not be construed or used as such. Your access and use of this publication are governed by
Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any
third party. For further information, see "Guiding Principles on Independence and Objectivity."

Gartner, Inc. | G00735094 Page 14 of 14

This research note is restricted to the personal use of .