Advice for Leaders—A CISO Needs to be a Leader First

Overlooking the importance of leadership can be a fatal error for an organization. Yet in cybersecurity leadership today, leadership is often overlooked. But why?

I propose it is the belief that an executive cybersecurity leader, particularly the Chief Information Security Officer (CISO), should be very technical, to the point of being a skilled practitioner.

Is this belief strategic and beneficial to the company? Or is it an outdated idea based on intuition?

Jennifer Laidlaw, a leading talent development consultant, notes:

I think in tech, we tend to forget that leadership is people-focused. Many folks in tech fall into a set of strengths centered around data and process and not strengths around relationships and EQ (emotional intelligence).

That resonates with me. It is what I have witnessed repeatedly. And that’s why I recommend taking another look at leadership in cybersecurity, tackling it from a different angle by focusing more on one’s proven leadership ability. How do you do that? By evaluating cybersecurity leaders with criteria beyond technical ability. Here are the three benchmarks you should use when selecting an executive cybersecurity leader, listed in order of importance.

Let’s dive in!

The top 3 skills your next CISO should possess

1. Proven ability to lead

   First and foremost, does your CISO candidate possess the ability to lead and galvanize a team around a cause? Can they build a team? Can this person orchestrate an effective defense posture against an attack? These questions will help you determine whether the potential CISO can give you the best chance to remain secure. If you are thinking, “But what kind of cybersecurity leader can lead without technical know-how?” you are not focusing on the important initial question. Don’t get me wrong, having a technical proclivity is essential — that’s why it’s number three on my list — but it takes a back seat to leadership ability.

   Here’s why: One person cannot solve every cybersecurity issue independently. Organizations with CISOs face constantly evolving, ever-present threats of increasing complexity. Whether dealing with a persistent nation-state threat that is many years and millions of dollars in the making or grappling with a brazen fraudster targeting your less savvy users, no one can do it alone. The more a CISO focuses on technical aspects of security defense, the less value they bring. Instead, they need to focus on building a security team of wide-ranging, highly-qualified cyber experts. 

   As they do so, how should they lead? Well, there are countless leadership theories in play. An article in Harvard Business Review covers six fundamental skills every leader should practice:

   1. Shape a vision that is exciting and challenging

   2. Translate that vision into a clear strategy

   3. Recruit, develop, and reward

   4. Focus on measurable results

   5. Foster innovation and learning

   6. Lead yourself

   When evaluating your next cybersecurity executive, determine if the person has those six skills. How? Ask them to prove it. Ask them to:

   1. Explain how they handled in-depth situational examples.

   2. Demonstrate how their past positions tested these skills.

   3. Provide references who can attest firsthand to their superior work.

   If the applicant demonstrates these leadership skills, you have a viable candidate.

2. Embodies your organization’s culture

   Your next question should be: “Does this person fit our organization’s culture?”

   Remember that you are not starting a debate about your company culture or figuring out what it could be in the future. If you want to improve your organizational culture, save that for another conversation — it’s worthy but irrelevant for evaluating a CISO’s fit. Your CISO needs to fit in as of the day they come aboard.

   A common fallacy is if a person is successful in one environment, said person will be successful in every environment. Sports provides one of the clearest examples of this. So often, an NCAA college football coach leads one team to a national championship but struggles when they shift to another program. Did they suddenly lose their ability to call plays or recruit and inspire great players? Or did they encounter a different cultural environment and have trouble adjusting at first, if not forever? 

   Leaders must align with organizational culture. If not, you’ll have interpersonal conflict, greater levels of job dissatisfaction, and loss of top talent. This can lead to a vicious cycle of negative reinforcement, where your teams become unstable and ineffective and, in turn, your cybersecurity defenses suffer.

   Once you’ve determined that your CISO candidate is a great leader, do not overlook how they will complement your existing team. An article by O.C. Tanner covers this in far greater detail. Simply put, leaders set the tone for organizational culture. They can make or break it. If your cybersecurity leader isn’t a good fit, the rest of your security operations could slowly spiral out of control

3. Possesses a profound technical proclivity

   To bring things full circle, yes, your executive cybersecurity leader does need to have a technical proclivity for security. The leader has to understand the technical cybersecurity challenges the organization faces today and will face in the future.

   What does this look like? There is no single correct answer. Your future CISO could have spent years as a software engineer, network administrator, database administrator, or other technical but non-cybersecurity roles before being promoted into leadership. The person could have even been a computer science professor who jumped into the private sector, rose in the ranks, and became a top candidate for a CISO role. While there are countless other scenarios, the underlying factor is that this person has shown a propensity for technical thinking in all of these situations.

   Now, the person in question needs to have experience in cybersecurity in some capacity. That might mean they led a cybersecurity team, built a cybersecurity program, or obtained various cybersecurity certifications. But do they need 30 years of cybersecurity experience with multiple certifications? No, that would automatically disqualify a lot of worthy people. And remember, the primary focus should be on the person’s ability to lead. That person will build and lead a team of others specializing in all the areas needed to protect your organization’s threat landscape. They need to have a clear frame of reference for understanding what’s happening on the front lines. But they’re not going to be in the trenches.

Wrap up!

Today, if every organization focused on these three areas when selecting their next CISO, they would be far better protected against cyber threat adversaries. One person can’t do it alone, which is why you need someone who can build a team, not just an internal one. They will need to develop partnerships, build collaborations across industries (even spanning into the public sector), and involve outside experts. There is too much on the line in today’s cyber, threat-ladened world for anything less.

Inconceivable…to think that you wouldn’t share this article with all your besties. 😉

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD