(SecurityWeek) – IANS Research has developed a model designed to help chief information security officers to maintain their inherent promise: that is, “to safeguard critical assets across space and time.”
This model, which it calls CISO Impact, rests on two fundamental capabilities: technical excellence and organizational engagement. The former involves eight domains from access control to incident response; while the later includes seven factors from running infosec like a business to getting Business to own the risk.
From this model, combined with insights from more than 1,200 high-performing CISOs and information security teams, IANS has developed what it terms ‘The 5 Secrets of High-Performing CISOs’.
“The connected world is a dangerous place,” says Stan Dolberg, chief research officer at IANS Research, “and because of this, CISOs and their teams must lead their organizations to adopt safe business practices. However, the challenge remains that many CISOs are leading from a position of little authority or influence. The CISO Impact diagnostic provides specific ways for CISOs to assert information security leadership skills that are commonly found in organizations one step ahead on the maturity curve. Our goal is to inform, contextualize and prioritize where to invest skills, practices, and technologies. Armed with this strong guidance, CISOs can chart their own paths to leadership.”
Put bluntly, the purpose of this report is to help lower performing CISOs to perform better through using the methods already used by high performing CISOs. The five secrets to achieving career success are:
Lead without authority
Embrace the change agent role
Don’t wait to be invited to the party
Build a cohesive cyber cadre
It’s a 5 to 7-year journey to high impact
Each of these ‘secrets’ is discussed in the report and supported by statistical research evidence. For example, 100% of high performers lead despite having no authority, using “persuasion, negotiation, conflict management, communication, education.” Only 3% of low performers succeed in this.
For the second ‘secret’, the report states, “High-performing CISOs know the value of engaging to drive change,” says the report. “In the CISO Impact data, 3 out of 4 of high performers embrace this approach, compared to 1 in 20 of the low performers. To embrace this role, know the business, know yourself, and get ready to ‘make lemonade’.”
The third secret is not so widely adopted by the high performers. “More than half of high performers in the CISO Impact data set didn’t wait for executives to have an epiphany that security matters,” states the report. “They leveraged the power of simulation to generate the emotional experience of loss or compromise that is fundamental to an engaged executive team.” Less than 1% of low performers did similar.
In secret 4, “High performers patiently assemble and train more than a team — they culture a cyber cadre.” This approach is adopted by 85% of high performers; but by only 1.4% of low performers.
The fifth secret warns that there is no quick fix. “Five to seven years is a realistic time frame for building the trust, the program, the team, and the value of information security to the point where information security is baked in.”
These five secrets provide excellent advice for improving company security and enhancing CISO careers. As stand-alone research, however, the report has several problems. The first is the distinction between a high performer and a low performer. The second is that it is easier to be a high performer in some companies than it is in others.
Martin Zinaich (CSSLP, CRISC, CISSP, CISA, CISM and more) is information security officer for the City of Tampa, comments: “‘You must lead without authority’ — that is so very true! You have to do that both technically and from an organic business integration standpoint. Yet,” he told SecurityWeek, “the study shows that 60% of high performing security leaders report into risk and business roles (that have authority) — and 95% of lower performing CISOs report to the CIO (where they don’t). Those two stats show the simple reality that it is very difficult to lead without authority. Almost every non-technical safe corporate wide business practice I have seen where the CISO is lacking authority has come via post breach, regulations or working with the Audit department.”
The danger for research statistics is that some of the low performers could be high performers in a different company with more resources and/or a more receptive C-Suite.
A similar issue occurs in the fifth secret; that is, ‘it’s a 5 to 7-year journey to high impact’. The reality is that few CISOs will remain in one position for that long — in fact, it is probably only the high performing CISOs already occupying a high-flying position with a security-aware company that will do so.
Such concerns, however, only impact the statistical difference between high and low performing security officers. The basic arguments contained within the five secrets remains quality advice for any CISO who wants to better secure his organization and improve his career potential.
The IANS Research report, “The 5 Secrets of High-Performing CISOs” will be presented at the RSA Conference next week.