Today's CISO plays a pivotal role not only in defining technical standards and security policies, but also in assuring customers of the security of their data and validating security controls to regulators. Many are struggling with this transition because they have been given these responsibilities without any real authority or visibility within their organizations. They also need a new set of skills to successfully fulfill their responsibilities.
After talking to many successful CISOs of global organizations over the past year, Forrester Research identified seven habits that make them effective in their role.
1. Let Your Strong Moral Compass Guide You-Always
Forrester found that successful CISOs pointed to ethics and morality as an absolutely essential tenet of their role. Many said that they also look for this habit more than anything else when selecting staff for their security organizations.
Many successful CISOs said the trust they'd established was the primary reason they gained influence. CISOs need to deal with their fair share of office politics, and having a principled stance in those dealings helps build trust and credibility. There might be times when a CISO needs to make tough choices, like stopping a critical IT project from going live, and CISOs must be perceived to act justly and fairly. (Read What Is the Moral Responsibility of a Business Leader?)
2. Be Flexible and Nimble
Although information security is more visible in the organization and has a greater set of responsibilities than in the past, the CISO still has to compete for the limited resources and attention span of the organization. Some successful techniques include looking for creative solutions, being prepared to move quickly and taking down controls that become unnecessary.
One CISO said he challenges his team never to say "no" to the business, but instead to work collaboratively to come up with alternative solutions. Another said that during the first 30 days on the job he evaluated all the visible security controls and worked to eliminate those that were redundant or could be addressed in a nonintrusive way.
3. Run Security Like a Business
CISOs need to present the program in a businesslike manner for it to be taken seriously. Running the security program diligently and consistently, and tracking progress against established metrics and parameters, demonstrates that you treat security as an important business goal. CISOs can achieve this by:
- Developing and sticking to a security program
- Staying one step ahead of business planning cycles
- Being consistent and diligent in his/her actions
- Emphasizing customer service