At the CIO/CISO levels, technology-based leaders are fast being replaced with executives who take a more holistic approach to technology security and risk management. Leaders sought after are those who understand operational effectiveness, governance and partnerships, and who possess exceptional leadership skills. These leaders realize that effective risk management programs will ultimately improve customer service and increase shareholder value. The modern firm is result-oriented and so must be its leaders. Devising novel ways of answering questions in the affirmative goes a long way in building consensus, however, it requires thinking of security as an enabler function of the business, and not as an operational burden.

Incentive structures at the CISO/CIO level now also reflect internal risk return vs. performance measures and controls implemented. Executives cannot work in silos anymore but must consider aligning investments in all business-related risk areas with external and internal exposures. Those who use established and standards-based enterprise IT or non-IT frameworks are at an advantage from the outset. ISACA’s case study that used COBIT 5 for non-IT related business strategy execution is a great example of an enterprise technology framework lending itself cleanly and seamlessly to strategy implementation using the ‘goal cascade’ methodology. Specifically, ISACA mentions, “the strategic initiatives were undertaken in such a way as to enable the goals cascade, i.e., that the needs of stakeholders (members, certification holders, others in ‘IT trust’ professions, and enterprises that are dependent on IT, among others) were reflected in appropriate organizational goals, the achievement of which would be enabled by achievement of the goals of the entire strategic portfolio, which in turn would be supported by achieving individual initiative goals”.

At a tactical level, security executives need to be able to think in terms of operational risk, because it is the common language the business will understand. The art of the leader will surface in how best she or he goes about building credibility and effectively tailoring the security message to the diverse risk appetites of the business. The ability to sell well-formulated risk strategies to insiders is another key leadership skill that will distinguish good executives from the average ones.

Soft skills that are usually not written down in the job description are vital for the security leader: these are traits, more differentiators actually, that add to overall effectiveness of the CISO/CIO office. Several communication models exist for executives to make use in trying to describe their fit for security executive roles: STAR (situation or task for context, articulate the action, explain the result) and PAR (describe the problem, articulate the action, explain the result) are examples. Collin Powell’s statement about leadership in general has profound implications for security executives: ‘Great leaders are almost always great simplifiers who can cut through argument, debate, and doubt to offer a solution everybody can understand.” Simplification is indeed a unique skill that security executives and managers must use to communicate risk mitigation plans to stakeholders.

Expertise is overrated. You’re only an expert for a few minutes, anyway! There is always someone who knows more. Arrogance, self-reliance and cavalier attitudes land security executives in trouble more often that we would like to think. Leaders must be able to collaborate between information security, privacy, risk management and governance functions. One way to do this is to rely on relationships, another is to develop key players into change agents: people who can carry your message far and wide into the firm. An extremely important trait is to be able to deliver the appropriate security message to the stakeholders, which requires having an understanding of business objectives, how security helps achieve these directly, and from a wider lens of the firm’s reputation in the market.

And don’t forget this: always ask for a security budget backed by a sound business model and financial plan!