Revealed: The behaviours exhibited by the most effective CISOs
As cybersecurity threats mount up and more gets asked of CISOs, Gartner has today revealed that only 12% of chief information security officers' excel' in all four categories of the Gartner CISO Effectiveness Index.
Gartner's determines the measure of CISO's effectiveness by their ability to execute against a set of outcomes in (1) functional leadership; (2) information security service delivery; (3) scaled governance and (4) enterprise responsiveness.
Gartner defines 'effective CISOs' as those who scored in the top third of the CISO effectiveness measure.
"Today's CISOs must demonstrate a higher level of effectiveness than ever before," says Gartner research director Sam Olyaei.
"As the push to digital deepens, CISOs are responsible for supporting a rapidly evolving set of information risk decisions, while also facing greater oversight from regulators, executive teams and boards of directors.
"These challenges are further compounded by the pressure that COVID-19 has put on the information security function to be more agile and flexible.
The survey upon which the scores were based was conducted among 129 CISOs, across all industries globally in January of this year.
The behaviour indicators of top-performing CISOsThere were clear and disparate behaviours that differentiated the top-performing CISOs to their counterparts.
Olyaei says one of the most prominent was a high level of proactiveness, widely deemed all but essential in the cybersecurity business. This can mean staying ahead of and anticipating the threats, communicating emerging risks with stakeholders or having a formal succession plan.
"CISOs should prioritise these kinds of proactive activities to boost their effectiveness," says Olyaei.
Another behaviour exhibited by more effective CISOs was the practice of meeting with three times as many non-IT stakeholders as they do IT stakeholders.
Two-thirds of top-performers meet at least once per month with business unit leaders, while 43% meet with the CEO, 45% with the head of marketing and 30% with the head of sales.
"CISOs have historically built fruitful relationships with IT executives, but digital transformation has further democratised information security decision making," says Gartner senior research director Daria Krilenko.
"Effective CISOs keep a close eye on how risks are evolving across the enterprise and develop strong relationships with the owners of that risk – senior business leaders outside of IT.
Cybersecurity is a traditionally stressful industry, as CISOs are charged with the protection of critical data which, if compromised, can easily sink an organisation if mishandled.
It should come as no surprise, then, that CISOs who manage their stress and keep on top of workplace stressors are more effective.
Just 27% of top-performing CISOs feel overloaded with security alerts, compared with 62% of bottom performers, while less than a third of top performers feel that they face unrealistic expectations from stakeholders, compared with half of bottom performing CISOs.
"As the CISO role becomes increasingly demanding, the most effective security leaders are those who can manage the stressors that they face daily," says Olyaei.
"Actions such as keeping a clear distinction between work and non-work, setting explicit expectations with stakeholders, and delegating or automating tasks are essential for enabling CISOs to function at a high level.