Seven Surprises for New CISOs

More than a decade ago, leadership and governance experts Michael Porter, Jay Lorsch and Nitin Nohria published a Harvard Business Review article describing seven surprises that await newly-appointed Chief Executive Officers (CEOs). The authors’ findings were based upon ‘boot camps’ held bi-annually at Harvard Business School for recently appointed CEOs at companies turning over billions of dollars per annum.

These surprises also apply to the leadership role of a Chief Information Security Officer (CISO), a position that scarcely existed when Porter’s article was published. In the intervening years, the CISO role has matured and proven itself to be rightfully considered a member of the C-Level. Porter’s surprises remain relevant today and I have adapted them to relate to fledgling and experienced CISOs alike:

1. You can’t run the companyor protect it

While many new CISOs have significant experience managing information security teams or functions, this may differ from C-Level expectations of communicating in a business language. It may also be easy to fall into the trap of focussing on tactical topics rather than long term strategic priorities.

New CISOs will discover that direct control must be exchanged for indirect control, and this is accomplished most effectively through the embedding of strategy, culture and vision combined with building a strong and trustworthy team. This team must be empowered to protect the business with people, process and technological investments.

2. Giving orders is very costly

“Giving orders you know won’t be obeyed is one of the best ways I know to destroy your own authority”.
~ Dan Weber

Information security organisational power may lie in the lap of the CISO, but it must be used both sparingly and cautiously.  An effective CISO must ensure that the aforementioned empowered team have mechanisms in place for shared decision making and consultation. If not, the CISO may become a bottleneck and direct reports are often inclined to ask for permission before they make decisions for which they accountable.

The traditional ‘command and control’ style of leadership is for dinosaurs. The modern CISO should be seen as a leader, mentor and role model. It is imperative for the CISO to develop his direct reports to function, first and foremost as a team.

3. It is hard to know what is really going on

On a daily basis the CISO is bombarded with a plethora of information, but much of it may not be relevant. The CISO simply cannot monitor and protect the entire IT organisation all of the time; compromises of systems and data are highly likely. Therefore, knowing how and where to obtain the right information, people, tools and partners helps in being prepared to deal with both internal and external communications. 

There are various factors that can make or break a CISOs success and in my experience there are two foundation elements required. First is an external method of assessing and benchmarking the information security capability of the organisation. Second is an honest and dependable direct line of reports who share vital information without fear of reprimand or repercussions.

4. You are always sending a message

Each and every word and deed a CISO utters or performs is analysed, scrutinised and interpreted (or misinterpreted) and, however minor, off-the-cuff or blasé, they can spread like wildfire. The effective CISO is consistent and delivers clear, unambiguous messages. These messages are often brought to life with real-world examples of previous experiences – both positive and negative.

5. You are not the boss

Although the CISO may sit at the top of the security management hierarchy, he or she may report to the Senior or Executive Management. Ultimately it is they – not the CISO – who are in charge. The ability to build relationships and manage multiple stakeholders both upwards and direct reports is vital.  Obtaining a seat at the C-Level table is one thing, keeping it is where the real challenge lies.

6. Pleasing shareholders is not the goal

The C-Level and Board have an obligation to protect a company’s share price. Shareholders often hold short-term financial interests in a company, and many for less than a year. It is undeniable that information security has a crucial and direct impact on shareholder value. However, defining the objective of the CISO role in line with such short term objectives may not be in the company’s long-term interests either financially or strategically. A CISO must, therefore, help to educate the Board to not only take information security seriously but also act as advocates and champions in their dealings with shareholders.

7. You are still only human

A CISO understands that not everything can be done to a ‘gold standard’. They also need to prepare for more problems than accolades. The job can be draining emotionally, physically and psychologically and it is imperative to make self-commitments such as: “I will exercise each day before or after work” or “I will let my children choose fun activities for us to all do together.” 

The seven surprises described above are a small collection of circumstances a CISO may encounter. A recent Deloitte article highlights further experiences and lists some key questions a CISO should address early into tenure:

  1. What are the key drivers of value in the organization, and how are these being protected?
  2. What are the threats and vulnerabilities that provide the greatest exposure to us today?
  3. To what extent do we have the foundational capabilities and practices in place to protect our critical assets?
  4. How effective are we at monitoring and detecting cyber incidents?
  5. Can we effectively respond to and recover from a cyber incident? Do we have response plans in place, and have they been tested?
  6. What metrics demonstrate that we are effectively protecting the company?

As technologies advance, information security risks naturally become more prevalent and demands on the CISO will undoubtedly increase. A new CISO should aim to be a key driver of business enablement and growth, integrating security requirements into long term business strategy. This should be combined with strengthening organisational resilience; through what I term “The A, B, C of information security” – Awareness, Behaviours and Culture across the organisation.

Maintaining the right to sit at the C-Level table requires a high level of managerial competence and the ability to maintain an appropriate ‘tone from the top’ in order to create strategic and organisational change in a technology-driven world.


Arrange a Conversation 


Article by channel:

Read more articles tagged: Featured, Leadership, Organisational Design, Talent