How great IT security leaders succeed

How great IT security leaders succeed
How great IT security leaders succeed 

By Matt Hines
March 10, 2008

As the threat of attack, both external and internal, continues to take 
root and as data-handling regulations continue to proliferate, the role 
of a chief information security officer appears to be growing more 
complex by the day. Many CISOs are doing an admirable job of stemming 
the tide of data loss and keeping their heads above water around 
compliance. But some IT security leaders are doing it better than the 
rest, according to a recent Forrester Research report, which has 
identified several characteristics that make these top CISOs more 
successful than their peers.

Beyond predictable recommendations such as having a close relationship 
with their employer's business leaders and making security a pervasive 
issue across their entire organizations, several unexpected practices 
arose during Forrester's discussions with users, vendors, and 

A moral compass is the key to success

The top finding was that truly effective CISOs must have a strong moral 
compass that allows them to lead as much by example as they command 
respect via mandate. "CISOs are expected to have a certain level of 
technical skill, but the character of the person really drives a lot of 
the success that they might have in this position," said Khalid Kark, a 
Forrester analyst and the report's chief author.

"Having the integrity, the visibility, and letting people know that you 
as an individual will always do the right thing is of great importance 
when you are being trusted to protect a lot of sensitive information." 
Other C-level executives may be able to get away with taking sides in 
corporate standoffs or going behind people's backs to accomplish their 
goals, but CISOs who expect to garner the level of respect needed to 
carry out their jobs most effectively must emit a persona of undeniable 

"Before doing the research, I wouldn't have guessed how important this 
aspect might have been, even having managed security operations myself," 
said Kark. "But it became clear that this is a characteristic that many 
people really value in a CISO. One of the issues that these executives 
face is that it takes time to build trust, and if you have that [moral] 
compass where you instinctively know what [is right] to do, you can 
achieve that [trust] in a shorter timeframe."

Also important to gaining that trust and executive buy-in is an ability 
to work with "the corporate psyche," as well as balancing the CISO 
position's political and policing roles.

Flexibility, patience, business acumen, and mentoring are other keys

Other key attributes of the most successful CISOs include having the 
flexibility to look for creative solutions to problems and move quickly 
from one project to the next, remaining patient whenever possible, and 
running security as if it were a business unit. That latter talent 
requires the ability to gather important security and compliance data, 
plus knowing how to use it to defend related budget items and project 

One of the most important assets for any CISO, Kark said, is to behave 
as a "kingmaker," someone who helps other people improve their own 
skills by acting as a mentor, rather than as a draconian ruler who 
merely gives commands and expects them to be followed. "CISOs need to 
help other people succeed and take over different responsibilities. This 
should be part of their overall security strategy," he said.

A related talent is not playing the blame game. "CISOs also have to be 
willing to take on a lot of the blame when things go wrong, even if it 
was someone else's fault. You don't want to take the blame for 
everything, but if you can stand up for someone else's mistake and use 
that to work on issues that improve the overall position of the 
organization, that's a great thing to do."

Value of deep technical skills is questioned

One aspect that the Forrester report did not cite as critical to a 
CISO's success was having a high level of technical skills. "Some people 
said yes, and others said no. This is an old debate," Kark said. "I 
think the key is that you absolutely need to have the ability to 
comprehend technical data, but you don't necessarily need the hands-on 
skills. Many successful CISOs don't focus on operational issues like 
managing firewalls, but they do need to be aligned with defining 
security policies and crafting the risk posture of their organization."

In fact, many CISOs who do have technical skills contend that the 
knowledge often leads to them getting tied down in too many operational 
decisions and projects, he said.

Regardless of a CISO's technical abilities, Kark said that it will 
become increasingly important for security leaders to move away from a 
bottom-up approach to security, where the focus is what tools to use, to 
a top-down approach driven by risk management and governance concepts. 
"These executives need to move from operational expertise into more of a 
role of a strategic thinker, from a policeman to a trusted adviser," he 
said. "They need to see themselves more as a consultant, as opposed to 
an auditor, and transition from a specialist in IT security to a 
generalist in overall business risk."

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods