CISOs’ crucial role in aligning security goals with enterprise expectations
In this Help Net Security interview, Chris Mixter, Vice President, Analyst at Gartner, discusses the dynamic world of CISOs and how their roles have evolved significantly over the years. He outlines the critical skills for CISOs in 2024, addresses the challenges they face, and underscores the importance of aligning enterprise expectations with information protection demands.
How has the role of the CISO evolved in recent years, especially in steering through challenges and leading with vision?
Gartner observes four stages of evolution in CISOs at every organization: controls manager -> risk decision owner -> trusted facilitator -> and value creator. Each stage builds on the stage prior to it, so, we’re not positioning any of these stages as “bad” or “immature,” but rather as pre-requisites for and contributors to performance at the next stage as well. We regularly benchmark CISO effectiveness and the majority of CISOs self-identify as being at the stages of ‘risk decision owner’ or ‘trusted facilitator.’ Most CISOs have evolved beyond merely being control managers and the role of ‘value creator’ is still rarified air.
Now, when you get inside those stages to how CISOs’ roles have evolved, the best description is that the role continues to be an “unstable molecule.” CISO role descriptions vary wildly in seniority, scope, reporting line and accountability. Now, “unstable molecule” isn’t meant to be a pejorative, merely a description of reality. And it shouldn’t be surprising—after all, the role of Chief Information Security Officer really only came into being in the mid 1990s. Where finance leaders have had—and this is not hyperbole—more than a thousand years to sort out their remit, the CISO role is still very much in its early stages. Variation in role is also to be expected given that requirements for cybersecurity vary between companies and government agencies, so we expect to see some variation in CISO roles.
However, being an unstable molecule does create problems for CISOs… For one, it sets CISOs apart from the other C-level executives they are expected to engage with. There are very low levels of variance in roles of comparable C-level leaders such as the CHRO, CFO, Heads of Sales, Marketing, etc., so it’s often difficult for the CISO’s peers to track with ‘precisely what the CISO does and doesn’t do.’ One of the most painful realities for CISOs today is a continuing disconnect between enterprise/agency expectations for their CISO, and, what the CISO is actually tasked and funded to deliver. The most visible current manifestation of that disconnect is uncertainty—both from the broader C-suite and from CISOs themselves—around the CISO’s role in supporting their enterprise’s compliance with the updated SEC disclosure rules, but, there are many other examples.
To get to the stages of trusted facilitator and value creator, CISOs need to focus lake a laser on closing the gap between enterprise expectations and what the CISO is actually capable (and funded!) to deliver.
In your opinion, what skills are most critical for CISOs to develop in 2024?
The world is awash with folks’ opinions on what skills CISOs should develop. My preference is always to rely on data!
Gartner’s CISO Effectiveness research identifies 14 behaviors and mindsets as essential for CISOs. Annually, more than 200 CISOs contribute their performance and behavioral data to this analysis, and the latest edition showed the top five as: initiating discussions on evolving norms to stay ahead of threats, proactively engaging in securing emerging technologies, dedicating regularly occurring time for professional development activity, building relationships with senior decision makers outside the context of projects, and defining risk appetite through collaboration with senior business decisionmakers.
Obviously, the mind goes to “figuring out the risks and opportunities in AI” when one reads ‘proactively engaging in securing emerging technologies,’ but, most of the questions I get from CISOs relate to the challenge of building relationships outside the context of projects and problems. For example, our benchmarking clearly shows that regular engagement with CFOs and Heads of Sales is a differentiator of the most effective CISOs—but part of why it’s a differentiator is that such engagement is rare in the CISO community, and, almost always related to core security issues.
Effective CISOs are going beyond ‘how to make your function safer” to creating two-way value, and that means the need to truly understand what the CFO and CSO’s priorities are. Spoiler alert: their biggest priorities aren’t, and shouldn’t be, cybersecurity.
As noted above, at the nexus of “evolving norms” and “building relationships outside the context of projects,” at least for companies trading on US markets, is supporting the enterprise’s efforts to comply with the updated SEC rules. There’s a massive risk of CISOs over-extending themselves here, but also creating immense value and demonstrating true C-level leadership. So in terms of skill development, CISOs need to focus on setting some boundaries. If you’re not an Officer of the company, don’t sign the 8-K or get pushed into determining what materiality is, for example.
What are the most significant challenges CISOs face, and how do you recommend addressing them?
An easier task would be to list the non-significant challenges, because that would be a far shorter list! The nature of being a cybersecurity leader is that there truly aren’t any small problems. One of the CISOs I respect and have learned a great deal from only has red and green on her performance dashboard. Yellow, she told me, doesn’t exist in cybersecurity. Something is either broken, or it isn’t! I think there’s a lot of insight in that perspective.
The biggest challenge for CISOs is time management. We’re a long way from the era of ‘fighting for a seat at the table’ in cybersecurity—the majority of CISOs I work with are now invited, even demanded to be, at every table! Unsurprisingly, the CISOs who spike in effectiveness are the ones who are ruthless with their time. Who make deliberate decisions about “who” and “how intensely” they engage with, and delegate/automate everything else.
To be sure, cybersecurity is in no small part a lifestyle choice, so, what constitutes work/life balance will be different for every CISO. But, it’s clear from years of analysis and experience that most CISOs come into the job believing that “always-on” is a requirement of the role. And, one of the legacies of the ‘fighting for a seat at the table’ era is the desire to be everywhere, and contribute value anywhere we can. Those behaviors and mindsets don’t scale, which is evidenced by the incredible rates of turnover and burnout in the CISO role.
The solution, as simplistic as it sounds, is to start treating time like your scarcest resource. Building time management skills in the same dedicated way that you build other critical skills for the role. In fact, one of the most frequent ways I support clients is, after they see “personal development” on our CISO Effectiveness benchmarking, leading time management workshops to help them build this skill.
How can CISOs balance the technical aspects of cybersecurity with the increasing need for business acumen?
CISOs need a deep level of technical competency—cybersecurity doesn’t work without massive connections to technology, and, once you get a layer or two down from the CISO, tech is everything! For reasons of credibility alone, the CISO needs to have tech chops so they can actively contribute within the function. And depending on your industry or company size, being hands-on with technology may be an appropriate and necessary part of the role. I think most savvy CISOs are beyond the mindset of believing they can deliver value by being ‘policy/governance’-only.
At the same time, because most CISOs come from the world of technology and operations, it’s very easy, when faced with the ambiguous and often political world of leadership, to over-invest in their comfort zone of technology. For that reason, we see an increasing number of CISOs relying on senior security architects in order to maintain their connection to the world of technology, sifting through the mass of opportunity to focus on the subset that really demands executive-level attention. And, empowering their leadership teams to make more decisions autonomously so that the CISO doesn’t get put in the position of ‘choosing every vendor personally.’
Finally, how do you envision the future of the CISO role, and what trends should professionals in this field be prepared for?
My expectation is that the CISO role will continue to be highly diverse in remit, reporting structure, and a variety of other factors. Again, the role is still relatively new in the context of enterprise leadership, and both the understanding of and need for information protection is highly variable across sectors, all of which mean that we’re not likely to see the CISO role “nailed down” any time soon.
So, being ruthless with your time, and making your “North Star” closing the gap between your enterprise’s expectations and what is truly necessary and possible… those are going to be essential focus points for every CISO.
In addition, Gartner just released its top cybersecurity trends for 2024. In short, we recommend CISOs incorporate nine trends into their work in 2024:
- Continuous threat exposure management
- Extending IAM’s cybersecurity value
- Third party cybersecurity risk management
- Privacy-driven application & data decoupling
- Generative AI
- Security behavior & culture programs
- Cybersecurity outcome-driven metrics
- Evolving cybersecurity operating models
- Cybersecurity re-skilling