HerrBullermann - Fotolia

What are the habits of highly effective CISOs?

Data crunched by Gartner analysts reveals the behaviours that differentiate the top-performing chief information security officers from the pack

The most effective chief information security officers (CISOs) demonstrate exceptional ability to execute against four key metrics – functional leadership, information security service delivery, scaled governance and enterprise responsiveness – but only 12% of them meet the grade against all four criteria, according to new data presented by Gartner at its annual Security and Risk Management Summit.

Gartner undertook a global study of heads of information risk functions back in January 2020 to build a scale of CISO effectiveness, with each respondent’s score against all four metrics added together to calculate an overall rating – with the top third defined as effective.

“Today’s CISOs must demonstrate a higher level of effectiveness than ever before,” said Gartner research director Sam Olyaei. “As the push to digital deepens, CISOs are responsible for supporting a rapidly evolving set of information risk decisions, while also facing greater oversight from regulators, executive teams and boards of directors.

“These challenges are further compounded by the pressure that Covid-19 has put on the information security function to be more agile and flexible.”

Gartner also identified five behaviours that are twice as prevalent in top-performing CISOs than in bottom-performing ones.

It said the most effective CISOs constantly initiate discussions on evolving cyber security norms to stay ahead of threats; prioritise keeping their organisation’s decision-makers aware of current and future risks; proactively engage in seeking out and security emerging security technology; implement formal and actionable success plans; and define their organisation’s risk appetite through collaboration with decision-makers.

Olyeai said a clear trend among the top-performers was the ability to demonstrate high levels of proactiveness, whether that was staying abreast of the threat landscape, communicating emerging risks to stakeholders, or implementing formal plans. “CISOs should prioritise these kinds of proactive activities to boost their effectiveness,” he said.

Gartner also found that the top CISOs met with three times as many stakeholders outside the organisation’s IT function as stakeholders within it. Two-thirds of the top performers told its pollsters that they met at least once a month with different business unit leaders, with 43% meeting with their CEO, 45% with marketing leads, and 30% with sales leads.

Daria Kirilenko, senior research director at Gartner, said this was evidence that wider digital transformation trends were democratising decision-making around information security.

Read more about IT leadership

  • CIOs are facing many uncertainties and changes in 2020. Cross-functional teams, cyber threats and IoT are becoming priorities. Here’s a look at future trends CIOs can expect in 2020 and beyond.
  • To help navigate through a crisis like the pandemic, IT executives are drawing on their leadership and interpersonal skills as much as – if not more than – their technical ones.
  • FDM’s IT chief takes us through the challenges of responding to the coronavirus pandemic, and the future opportunities that the changes introduced now present.

“Effective CISOs keep a close eye on how risks are evolving across the enterprise and develop strong relationships with the owners of that risk – senior business leaders outside of IT,” she said.

The study also found that the most effective CISOs were more skilled at managing stress both in and out of the workplace. Alert fatigue is a term many will be familiar with, but just 27% of the top-performing security pros said they felt overloaded with security alerts, compared with 62% of those ranked at the bottom.

Also, less than one-third of the top performers said they felt they faced unrealistic expectations from elsewhere in the organisation, compared with half of the bottom performers.

“As the CISO role becomes increasingly demanding, the most effective security leaders are those who can manage the stressors that they face daily,” said Olyaei.

“Actions such as keeping a clear distinction between work and non-work, setting explicit expectations with stakeholders, and delegating or automating tasks are essential for enabling CISOs to function at a high level.”

Next Steps

Future of data management is in the cloud

Read more on IT risk management