The times have gone when the CISO had to explain what cyber security was about and the value it brought
In the face of non-stop cyber-attacks, and the urgency of change around cyber security practices in large firms, the CISO has to be – first and foremost – a leader.
The role can no longer be limited to its technical content. Cyber security has a technical dimension of course, and a fundamental one, but it was never just about tech. Delivering real and lasting change around cyber security across the complexity of large organisations has to involve all corporate silos: Business units, geographies and support functions, as well as IT and suppliers.
Bringing them all onboard with a common and coherent cyber security agenda cannot be something arbitrary or pre-determined. It can only be built on the basis of the situation and priorities of all stakeholders: They will buy into it if there is something in it for them; they will resent it and drag their feet if it comes across as something arbitrary imposed by head office.
So understanding the firm’s governance dynamics – and frankly, the internal politics – will be key for the CISO in large organisations to calibrate the change agenda to a level the fabric of the business can tolerate.
That has to start by listening to key stakeholders, understanding their challenges and their priorities around cyber security, as well as the general situation of the business.
The times have gone when the CISO had to explain what cyber security was about and the value it brought. All business leaders would have been exposed to the concept of cyber threats and cyber-attacks given the level of media coverage of the last decade. Many would have faced their impact in other roles. They will have a view on the matter, and quite often a balanced business view of what to do – or not – about it.
Too many CISOs jump straight at technical recipes or try to apply ready-made solutions they have used or seen elsewhere.
“What can I do to help you?” should be the opening question for the CISO in their exchanges with stakeholders.
Listening to the answers, accepting them for what they are (irrespective of the CISO’s personal inclinations), structuring them into a strategic change agenda, and – most importantly – delivering on the expectations created, are the pillars on which a successful CISO should build their practice (in particular, the incoming CISO).
At this point, we start to see an emerging profile of a certain type for the CISO, that will be key for the role to be successful. The profile of an individual who has sufficient management experience and political acumen to navigate the complex governance waters of large firms, the ability to listen without jumping to a pre-determined agenda, and the ability to deliver on expectations in a complex and transversal field.
Where maturity is low and aggressive change is required around cyber security practices, those attributes are more important, in my view than the native ability to understand the technological context in which cyber security is rooted. Of course, those are attributes some technologists could develop naturally over the course of a career in tech, in particular in senior roles, but fundamentally, they are leadership attributes that come with time and experience.
The key for me is the quality of the listening and the building of some realistic and achievable consensus around the expectations collected from stakeholders, without always dropping to the lowest common denominator (generally, that’s awareness development in the cyber security space – whatever that means in practice…).
It’s a difficult task but it is the essence of true leadership.
Going back to the basic meaning of the word, a “leader” is someone who is followed; and people generally follow when have the sense they will get something in return.
Those are the simple dynamics successful CISOs have to build around cyber security.
