The New CISO Leadership Mandate

Great CISOs Don’t Just Execute Tactics or Lead Technical Operations. They Reshape Enterprise Views of IT and Security and Build a Durable Foundation of Business Leadership.

As the demands of digital business intensify, the Chief Information Security Officer (CISO) role has been thrust into the spotlight.

According to Gartner, 64% of enterprise board directors say their organization is trying to significantly alter its economic architecture to put more emphasis on digital. At the same time, 88% say recognizing cybersecurity is a risk to the business.

Increasingly, CISOs serve as board members and now engage in C-level strategy. Amidst this shift, CISOs must learn to speak “dollars and cents” – or the language of strategy, opportunity, transformation, and business risk.

As explored in our 2023 Identity and Security Trends and Predictions report, we expect a full CISO office makeover as transformational leaders elevate the role beyond a technical security focus. But those who cannot connect cyber-risk initiatives to the organizational agenda, will struggle.

Read on to learn more about the new CISO leadership and performance mandate.

The Ways High-Performing CISOs May Step Up – Now

The technical expertise of many CISOs is a double-edged sword. Although leaders possess the capabilities to enable security and IT enterprise activities, their technical-bent and leadership styles inhibit communication.

Not surprisingly, disconnects emerge that affect the critical flow of resources and information to support security initiatives.

To maximize impact, CISOs must evolve their communication style to bridge gaps and improve performance. Rather than framing issues in terms of cybersecurity, they must lead with business outcomes and impacts.

“Organizations, CEOs, and boards intuitively understand revenue,” guides Gopal Padinjaruveetil, Chief Information Security Officer of the Auto Club Group. “In some cases, we ought to eliminate the term ‘cyber risk’ from our vocabulary, because every risk is a business risk.”

There’s No “I” in Cyber

Unconventionally, top CISOs rebuff the title of subject matter expert. These leaders recognize a problematic pattern when enterprises yield responsibility to so-called SMEs. With solo-ownership, leaders struggle to gain buy-in and support. The reason: Cyber-risk becomes a you not us issue – and gets relegated to the IT domain.

Instead, CISOs must lead a process of collectively connecting cybersecurity to business outcomes.

“Subject matter experts just tell others what the cybersecurity priorities are,” shares Jim Routh, former CISO for MassMutual, American Express, DTCC, & Aetna. “The problem is, when finances dry up, the board pushes back, or competing priorities crop up, the support you thought you had from stakeholders dissolves.”

From the Department of No to Go!

Despite best intentions, security teams often create or support processes that lead to “no.” But severe practices and rigid rule sets once designed to ensure privacy and safety now stifle innovation.

Today, digital transformation and domineering tendencies simply don’t mix.

But when CISOs educate stakeholders, captivate with stories, and craft narratives linking technical issues with growth opportunities, stakeholders respond.

Routh advises CISOs to reorient as collaborators: “Publish control policies in easy-to-understand language and then unleash business leaders.” Instead of defaulting to push-back and limits, let business leaders know that if they’re struggling to satisfy requirements that you’ll help with a workaround.

Effectiveness Requires Strategy & Storytelling

HBR asserts that compelling storytelling makes or breaks leaders’ credibility. Their research highlights how executive performance often depends on stories that are audience specific, contextualized, and human.

Sometimes, the overly-technical upbringing of CISOs affects their ability to be understood by the average business stakeholder.

As responsibilities elevate, security executives must craft narratives to ensure that metrics, ideas, and proposals are grounded with stakeholder-centered language. “People respond to stories – there’s power in connecting information security narratives to business implications,” acknowledges  Padinjaruveetil.