The evolving CISO role: What success looks like

The CISO role expands rapidly

Traditionally, the Chief Information Security Officer (CISO) has had a clear scope of responsibility; oversee the security of digital and physical information. But that doesn’t cover the breadth of challenges facing today’s cybersecurity professionals.

A major cause of complexity within the CISO role is the shift to remote work, which brings with it new risks and variables to manage. Combine that with the growth of the internet of things, the broadening of business ecosystems and greater integration with third-party vendors, and the scope of the role has expanded quickly.

This role expansion plus the high stakes of security breaches — downtime, data loss, reputational harm and liabilities such as ransom payments — means the CISO contends with major risks all day long and from every side.

In the past, CISOs could rely on their technical skills to excel in their role. But as they face crisis after crisis, they need a new suite of skills to lead transformation. Top CISOs need imagination, strategic thinking, curiosity and tolerance of ambiguity to thrive in disruption. And, because of the importance of their role, they also need the skills to influence people across the enterprise.

Increasing data security threats

In addition to all these changes, the threats to data security that CISOs must manage evolve every day, if not every hour. These threats are relentless, innovative and costly. With few barriers to entry and the potential for significant rewards, those behind the threats are smart and determined to succeed.

Perhaps the most insidious threats are sophisticated contracted hackers, who have the funding and know-how to disrupt operations. Equally dangerous are lower-level threats, those who are adept at stealing data and holding companies hostage with ransomware. Sometimes disgruntled employees even work from the inside, engaging in deliberate sabotage.

The challenge of retaining CISOs

The demands of the CISO role seem to be never-ending and put cybersecurity professionals at risk of burnout. Even worse is that CISOs usually toil in the background, so their contributions often go unrecognized. Only when something goes wrong do they take the spotlight. Given the changing nature of threats, combined with a narrow job description and limited span of authority, they often can’t live up to the C-suite’s lofty — and unrealistic — expectations.

As a result, this role frequently suffers from low morale. That means CISOs are at high risk to leave their roles — and turnover is rising.

Top technology executives are difficult to attract even in the best work climates, so organizations need to rethink their organizational design and create a clear career progression plan for CISOs. Without a plan, businesses will struggle to retain talent — and it will be difficult to build a talent pipeline.

Essential skills and competencies for today’s CISOs

To learn more about how organizations can create a plan to help today‘s cybersecurity professionals succeed and build a talent pipeline, we undertook a research project. Our goal was to learn about the challenges of the role and the competencies required to meet these challenges. We interviewed 15 leading CISOs and mined our data pool of executive assessments. Here’s what we learned.

CISOs can’t rest on technical competence

While it’s true that technical expertise has always been essential to a CISO’s success, it’s no longer enough for them to excel simply because they are good at cybersecurity work. Because of CISOs’ influence on the organization and its culture, they also need well-developed leadership competencies.

Cybersecurity professionals must manage and lead in an interconnected environment, working between IT, security and the business as a whole. This means they must have influence across the business and should possess strong interpersonal and communications skills. They must also have the skills necessary to build teams, foster collaboration and empower their people.

Given the constant changes in their role and in the market, CISOs need a high tolerance for ambiguity and should be willing to embrace change. It is essential that they are independent thinkers who can analyze and solve challenges, especially as security problems increase in complexity.

To solve these problems, CISOs must be ready to embrace new ideas, leave their comfort zone and reject old assumptions. Cybersecurity professionals with these attributes will be able to develop new and better solutions to overcome any challenge they face.

CISOs need communication skills

While CISOs must be able to understand firewall rules, tactical architecture and compliance regimes, they should also be able to clearly communicate the risks surrounding these topics to the wider business. This will ensure sounder decision-making by stakeholders with consideration for what these security risks mean within the broader business context. Perhaps most importantly, it is up to the CISO to train employees on the attitudes, habits and practices that create security vulnerabilities.

CISOs need to bridge gaps

Security isn’t just an IT responsibility anymore. Today’s cybersecurity professionals should be ready to build a culture where security becomes everyone’s responsibility. CISOs also need to be able to explain the value of the measures they suggest, because cybersecurity investments can be expensive with an uncertain ROI.

CISOs must be able to build cross-functional networks

CISOs may have a narrow span of control, but their work touches every department in every organization. That means they need a broad network in order to influence others across their organizational ecosystem. They also need to be able to partner with external stakeholders, including their peers, nonprofits and government entities as they respond to cyberattacks.

The leadership assessment data from our online self-assessment tool, the Korn Ferry Four Dimensions of Leadership Assessment (KF4D), supports these findings on the importance of soft skills for CISOs. When we compared the results of CISO candidates from 2015–16 against CISO candidates and placements from 2020–21, we found a clear evolution of CISOs from people who excel at technical persuasion to people who possess strong interpersonal traits.

The four key traits that emerged in candidates and placements in the last five years were empathy, social influence, sociability and the ability to engage people and inspire followership.

3 steps to help CISOs and other cybersecurity professionals succeed

Our research identified three key steps that organizations can take to help CISOs succeed from a leadership and organizational perspective.

1. Develop a leadership pipeline

To grow the capabilities of their current CISO and build a pipeline for future leadership, organizations should invest in a variety of tools.

An early step is learning about cybersecurity professionals’ development needs. Assessments against research-based success profiles can highlight opportunities for skills training and trait enhancement to prepare talent for junior roles.

Organizations should also establish clear career paths that give junior talent experience in a variety of business and functional areas as well as within technology domains. With broader experience, junior talent can develop the situational awareness essential to succeed in senior roles and the business ecosystem.

Leadership development that targets cybersecurity professionals is also critical. And, of course, organizations must invest in creating a diverse, inclusive workplace that offers greater opportunities to underrepresented populations.

2. Raise the profile of CISOs within the organization

Cyber breaches are inevitable. The key is for organizations to create resilience. But too many organizations have structures that hinder the ability to make smart decisions or take accountability for breaches. They also lack the talent required to improve safety.

Organizations need to prioritize the input and role of cybersecurity leaders, giving them the authority they need to design effective processes, bridge gaps between departments and enforce procedures to safeguard the company.

3. Give the CISO access to engaged senior leaders

When it comes to cybersecurity, command and control won’t work. Horizontal, not vertical, orientation is necessary, because departments need to work together across departments to manage cyber threats.

Moreover, organizations need to prioritize the role of CISO expertise in decision-making. They need to create opportunities for CISOs to engage senior leaders and the board in conversations about cyber threats. Organizations will also likely need to develop new governance frameworks and reporting structures.

How to empower your CISO

Following the steps in this article will start you on the path toward a more valued, empowered CISO role and with it, a more effective cybersecurity function, but this is a complex journey. For additional insights from our research, download our summary, Meet the new CISOs . Then get in touch with our cybersecurity team to learn how to align your cyber talent strategy and organizational design to maximize the impact of your cybersecurity professionals.