Given the strategic significance of digital transformation, IT security leadership is a really important role. And yet, only 12 percent of chief information security officers (CISOs) excel in all four categories of the ‘CISO Effectiveness Index’, according to the latest worldwide market study by Gartner.
Gartner analysts presented their global survey findings and discussed the key traits of top-performing CISOs during their recent ‘Security & Risk Management Summit’.
“Today’s CISOs must demonstrate a higher level of effectiveness than ever before,” said Sam Olyaei, research director at Gartner. “As the push to digital deepens, CISOs are responsible for supporting a rapidly evolving set of information risk decisions, while also facing greater oversight from regulators, executive teams and boards of directors.”
IT security market development
These significant enterprise challenges are further compounded by the pressure that the COVID-19 pandemic has put on the information technology (IT) security function to be more agile and flexible.
Gartner’s measure of CISO effectiveness is determined by a CISO’s ability to execute against a set of outcomes in four categories:
- Functional leadership
- Information security service delivery
- Scaled governance
- Enterprise responsiveness
The survey respondent’s score in each category was combined together to calculate their overall effectiveness score. Gartner defines ‘effective CISOs’ as those who scored in the top one-third of the CISO effectiveness measure.
Of the factors that impact CISO effectiveness, Gartner revealed five behaviors that significantly differentiate top-performing CISOs from bottom performers. On average, each of these behaviors is twice as prevalent in top performers than in bottom performers.
“A clear trend among top-performing CISOs is demonstrating a high level of proactiveness, whether that’s staying abreast of evolving threats, communicating emerging risks with stakeholders or having a formal succession plan,” said Olyaei. “CISOs should prioritize these kinds of proactive activities to boost their effectiveness.”
The survey also found that top-performing CISOs regularly meet with three times as many non-IT stakeholders (such as Line of Business leaders) as they do IT stakeholders.
Two-thirds of these top performers meet at least once per month with business unit leaders, while 43 percent meet with the CEO, 45 percent meet with the head of marketing and 30 percent meet with the head of sales.
According to the Gartner assessment, CISOs have historically built fruitful relationships with IT executives, but digital transformation has further democratized information security decision making.
Effective CISOs keep a close eye on how risks are evolving across the enterprise and develop strong relationships with the owners of that risk – senior business leaders outside of IT.
The survey also found that highly effective CISOs better manage workplace stressors. Just 27 percent of top-performing CISOs feel overloaded with security alerts, compared with 62 percent of bottom performers.
Furthermore, less than a third of top performers feel that they face unrealistic expectations from stakeholders, compared with half of the bottom performing CISOs.
Outlook for enterprise CISO leadership and influence
“As the CISO role becomes increasingly demanding, the most effective security leaders are those who can manage the stressors that they face daily,” said Olyaei.
Actions such as keeping a clear distinction between work and non-work, setting explicit expectations with stakeholders, and delegating or automating tasks are essential for enabling CISOs to function at a high level.
That said, I believe that IT security spans both the data and networking realm, due to the growing demand for hybrid IT solutions that incorporate a combination of on-premise data centers and public cloud computing infrastructure. Moreover, the inherent security benefits of SD-WAN solutions make them an essential tool for forward-thinking CISOs.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.