The CISO Must Be – First And Foremost – A Leader

Jean-Christophe Gaillard Jean-Christophe Gaillard
December 1, 2020 Big Data, Cloud & DevOps

The key challenges of the transformational CISO are not technological, but managerial.

There is still a vast amount of debate across the cyber security industry about the role of the CISO, their reporting line, their tenure, the levels of stress they’re under, and the burnout epidemy they’re suffering.

But looking into the actual profile of real people in those jobs, talking to them and listening to their problems, you’d quickly realise that there is a fair amount of creative writing involved in a lot that’s being posted.

It is easy to write about “the CISO” thinking this is a fully established C-level role and one of the pillars of corporate governance. In practice, this is far from being the case and the harsh reality is that the role itself is far from mature, in spite of having been in existence – in some shape or another – for about two decades.

The job title – to start with – is far from universal (and has never been). A large number of variants are in use, and behind those, different role descriptions reflecting the perceptions and priorities of each organisation, which in turn find themselves reflected in the reporting line of the function.

Compounded by the natural differences between industry sectors and the security maturity levels of each company, it creates a myriad of roles, which – in the end – can have very little in common.

The actual reality of the role of a “CISO” reporting to a board member in a mining firm, will have very little to do with the role of a “CISO” reporting 2 levels below the CIO in a retail organisation. Even if good practices are the same – and have been for a long time, and still protect – putting them in place in each of those situations will have very different meanings.

So talking about “the CISO” is often a dangerous shortcut when trying to address the functional or operational aspects of the role.

Where there are commonalities, is around the softer aspects of the role.

First of all, if an organisation is large enough to frame the role in CISO terms, it is likely the CISO will have a team below them. This is where many articles on the theme often go wrong: They talk about “the CISO” as if he or she was a one-man (woman) band, directly involved in the delivery of all aspects of their cyber security practice. That’s rarely the case. In most organisations, the CISO is effectively a leader, structuring, organising, delegating and orchestrating work across their team and across the firm – and across the multiple third-parties involved in delivering or supporting the business.

The CISO should also be expected to be able to listen to business leaders across corporate silos, understand their priorities, and adjust security practices to their demands and expectations.

It is simply absurd to pretend that the CISO should have those managerial skills, and – at the same time – expect them to constantly put out burning fires, and be credible all the time and all the way across all technical stacks and across all silos of a large corporate. These unicorn profiles simply don’t exist.

What is not absurd is to expect the CISO to structure and lead a team which can be credible on all those fronts – and firefight, and bring along long-term change. That’s the only way it can work in large firms.

Senior executives also need to understand the complexities involved in leading true security transformation across large corporates, and accept the gaps which may exist at times between knowing what needs to be done to protect the business, saying it should be done and making sure it gets done, for good and across the real breadth and depth of the enterprise.

In bridging those gaps, lie the real challenges of the role of the transformational CISO. Those are not technological challenges, but managerial, political and governance challenges.

To be successful, the transformational CISO needs to be – first and foremost – a leader with a good business brain. Not just a firefighting technologist.

  • Experfy Insights

    Top articles, research, podcasts, webinars and more delivered to you monthly.

  • Jean-Christophe Gaillard

    Tags
    Chief Information Security OfficerCISOCyber Security
    Leave a Comment
    Next Post
    Expressive Power Of Graph Neural Networks And The Weisfeiler-Lehman Test

    Expressive Power Of Graph Neural Networks And The Weisfeiler-Lehman Test

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    More in Big Data, Cloud & DevOps
    Big Data, Cloud & DevOps
    Cognitive Load Of Being On Call: 6 Tips To Address It

    If you’ve ever been on call, you’ve probably experienced the pain of being woken up at 4 a.m., unactionable alerts, alerts going to the wrong team, and other unfortunate events. But, there’s an aspect of being on call that is less talked about, but even more ubiquitous – the cognitive load. “Cognitive load” has perhaps

    5 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    How To Refine 360 Customer View With Next Generation Data Matching

    Knowing your customer in the digital age Want to know more about your customers? About their demographics, personal choices, and preferable buying journey? Who do you think is the best source for such insights? You’re right. The customer. But, in a fast-paced world, it is almost impossible to extract all relevant information about a customer

    4 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    3 Ways Businesses Can Use Cloud Computing To The Fullest

    Cloud computing is the anytime, anywhere delivery of IT services like compute, storage, networking, and application software over the internet to end-users. The underlying physical resources, as well as processes, are masked to the end-user, who accesses only the files and apps they want. Companies (usually) pay for only the cloud computing services they use,

    7 MINUTES READ Continue Reading »

    About Us

    Incubated in Harvard Innovation Lab, Experfy specializes in pipelining and deploying the world's best AI and engineering talent at breakneck speed, with exceptional focus on quality and compliance. Enterprises and governments also leverage our award-winning SaaS platform to build their own customized future of work solutions such as talent clouds.

    Join Us At

    Contact Us

    1700 West Park Drive, Suite 190
    Westborough, MA 01581

    Email: support@experfy.com

    Toll Free: (844) EXPERFY or
    (844) 397-3739

    © 2023, Experfy Inc. All rights reserved.