A recent Gartner report was rather scathing about the effectiveness of chief information security officers (CISOs). Only 12%, according to the 2020 Gartner CISO Effectiveness survey, excel in all categories considered by the analyst firm in the study.
The bar was obviously set high. But that is a sign of the times. CISOs have to be on the ball in the face of unrelenting and exponentially growing cyberthreats. Further factors challenging the effectiveness of CISOs include greater oversight from regulators, executive teams and boards of directors, as well as Covid-19 pressures.
“Today’s CISOs must demonstrate a higher level of effectiveness than ever before,” said Gartner analyst Sam Olyaei. “As the push to digital deepens, CISOs are responsible for supporting a rapidly evolving set of information risk decisions.”
129 heads of information risk functions around the globe were graded on functional leadership, information security service delivery, governance, and enterprise responsiveness. Those in the top 12% scored in the top one-third of the CISO effectiveness measure in each category.
Garner isolated five key behaviors prevalent among the top performers:
Initiating discussions to stay ahead of threats
Regularly briefing and updating decision makers on potential risks
Proactively evaluating and deploying emerging security technologies
Developing a succession plan
Collaborating with senior executives to maintain alignment between security and business objectives
Steps to Increase Effectiveness
So how can mere mortals who failed to make the highest grade increase their effectiveness? Here are some observations:
1. That overused term “proactive” is a common denominator among the most effective CISOs. “A clear trend among top-performing CISOs is demonstrating a high level of proactiveness, whether that’s staying abreast of evolving threats, communicating emerging risks with stakeholders or having a formal succession plan,” said Olyaei.
2. Get out of the IT department. Some CISOs are too engrossed in IT matters. Gartner noted that top-performing CISOs meet with three times as many non-IT people as they do with IT stakeholders. Those enmeshed in the IT world need to extend their attention and schedule meetings with business unit leaders as well as the heads of marketing and sales to find out what they need, hear their concerns about security practices, and understand their objectives, priorities and strategies.
3. Be an executive. The survey noted that only 27% of the top category CISOs feel overloaded with security alerts. The rest tend to be bogged down in putting out fires. Those finding themselves moving from flap to flap and alert to alert are advised to reorganize to elevate their activities to the executive level their job description demands. Better delegation of duties, additional hiring, or time apportionment are required.
In smaller shops with a more hands-on CISO, it should at least be possible to allocate certain hours each day for executive duties in order to achieve some level of proactiveness. That’s good advice for just about everyone: Taking a step back from the endless stream of day-to-day tasks to see the bigger picture could make any employee more valuable.