I’m lucky. I get to speak to and learn from hundreds of CISOs each year across all different sizes and types of orgs. Each conversation gives a unique insight into how companies approach security and, crucially, what works well and what doesn’t.
Over the last few years, there is a very specific type of security leader who I’ve seen succeeding time and time again. A type of CISO that has particular success in winning boards over, getting employees to engage, and ultimately reducing exposure for their org.
So what makes these new-school CISOs so successful?
1. Security = sales
Gone are the days where security leaders are technical folks that shun any form of pitching as “not part of their job”. The best CISOs have recognized the importance of security in winning new customers and embraced it. Whether it’s leveraging their progressive security tech stack to impress, wowing a prospective customers’ security team over a call, or being a crucial part of the pitch team, security can have a material impact on the most important business driver (new revenue). It doesn’t start when the pitch has been secured; I’m regularly hit up by CISOs at customers asking for intros to prospective new customers. CISOs winning and finding deals – no wonder they don’t struggle with exec attention.
2. Customer success = CISO’s success
I’m biased, but nothing is more important than making the customer successful. It’s easy for security teams to think they have limited ability to impact their customers’ success, but some CISOs are going above and beyond to make their customers successful. From proactively building relationships with customers’ security teams to notifying customers of potential vulnerabilities, nothing beats having a direct relationship with a customer. Better still, if you can help them be more secure, you’re creating value for the customer and protecting your organization; after all, you’re only as secure as the customers (and suppliers) you work with.
3. Employees are everything
Security doesn’t work in a vacuum. You won’t win as a CISO if you push down security policies and assume they’ll be adopted. This belief is at the core of the new-school of CISO – they know that they’ll only drive positive change in the organization if they bring people along for the journey. That means great storytelling, making content relevant and doing everything they possibly can to help, not hinder, their employees to work securely. Some great examples I’ve seen here are hijacking the beginning of other meetings to educate on security, giving line managers the insight they need to make their teams work securely and gamifying leaderboards to make security competitive.
4. Mission-driven
Businesses exist to achieve their mission. Security exists to ensure businesses can stay safe in order to achieve their mission. It’s that simple, and emergent CISOs are building their team around this premise. Unfortunately, often there are years worth of clunky legacy technology and processes that restrict employees, meaning CISOs need to go against the status quo, ask more from their solutions and not settle for anything less than frictionless UX. It’s awesome to see security teams start to judge their success on the delight of their employees – using metrics such as NPS or CSAT – as well as more security-centric metrics. After all, if you enable your employees, you’ll enable your business to succeed.
5. Technical proficiency
There’s no doubt having a level of technical proficiency as a CISO is important, but the CISOs who are influencing the most and driving change in the profession often win because they are great communicators, understand business drivers and care about user experience. More and more, I’m seeing CISOs from non-technical backgrounds triumph by combining the above traits with hiring a team who bring the technical expertise.
It’s been awesome seeing security – and the role of the CSIO – change and observing which type of CISOs are having the most success. No doubt in 12 months time, the traits needed to succeed will have changed again and I’ll need to rewrite this 🤦♀️.