3 Leadership Lessons from Top CISOs

Perhaps more than any other C-suite role, CISOs must collaborate with other security leaders to be successful. The nature of their role means that security leaders face common threats and challenges, and with the proliferation of security threats and the ever-changing nature of them, CISOs know they can benefit from regularly exchanging information and intelligence with their peers at other companies.

In addition, the CISO role has evolved over time from a technical one to a true business partner. CISOs must understand risk and articulate the risk-reward trade offs in order for the business to grow and innovate in a secure manner. There is also a heightened need for executives across the business to understand their risks. For the CISO, that means more focus on effective communications to the C-suite and the board. 

We asked CISOs from across Evanta’s global communities for their advice to other security leaders just starting out in the role of CISO. Here are three themes that emerged from their responses. 
 

1. Get to know your own organization and its vulnerabilities.

CISOs emphasize the need to know your own organization, its processes, and unique threats. The universe of possible threats is overwhelming – thus, CISOs advise their peers to learn their specific problem areas. They also say that a key part of this is understanding the business in addition to the technology.

Know your own mind and really own the problem space. You can’t form a strategy and a plan if all you do is sweep together lots of generic and conflicting opinions. By putting in the work to understand the problem spaces, you can construct your own framework/model/method of thinking about your organisation’s cyber problems, and come up with a grounded plan.”

Luke Fairless, Director, Technology (Security Program & Capability), Tesco Plc
Co-Chair of the UK & Ireland Community

I would advise a new CISO to listen closely to gain visibility into what is and is not currently working for the organization. Strive to understand the key players, the underlying technical stack, and the strengths and weaknesses of your team.”

Steve Grossman, CISO NBA
Co-Chair of the New York CISO Community

Don’t get bogged down in technical items. The CISO role is ultimately a business/risk role. It may be hard to let go of doing the technical work, but you need to let your team focus on the technical work and instead spend your time with the business stakeholders to understand their needs and educate them on the risk tradeoffs.”

Ragulan Sinnarajah, VP, IT Shared Services & Head of Cyber Security, Sobeys
Co-Chair of the Toronto CISO Community
 

1. Establish strong internal relationships and find allies.

CISOs know that they need to rely on others to succeed and recommend finding allies internally. Risk management is a shared responsibility, and many security leaders rely on peers on the team for support, among others.

Find allies! Being a CISO is not a one-person job. To be successful you need to have people around you, and if you haven't got direct reports – create a virtual team. From the get-go, it's also very important you make your organization aware that the ownership of risk lies with them and that you aren't a scapegoat.”

Bjørn Richard Watne, SVP, Group CISO, Storebrand
Co-Chair of the Nordic CISO Community

Appreciate that you don’t have all of the answers, nor should you. Leverage your community, your peers and your team. Embrace a diversity of thought, and don’t be afraid to seek it out and ask for it.”

Brian Talbert, CISO, Alaska Airlines
Governing Body Member of the Seattle CISO Community

Putting in place a security program takes time, discipline, and enterprise-wide ownership – it will not occur overnight. To begin, you should start foundationally by learning your business and establishing strong relationships to guide your pathway to success.”

Annessa McKenzie, CISO, ConocoPhillips
Co-Chair of the Houston CISO Community

Pace yourself! Don’t try to do everything for everyone at once or solve every issue that comes to your desk. Additionally, make sure to build strong relationships with key stakeholders around the organization.”

Robert Mungenast, CISO, Electrolux
Co-Chair of the Nordic CISO Community
 

1. Communicate effectively – in the language of the business.

To be most effective, CISOs have to communicate highly technical information in an understandable manner. In addition, CISOs agree that it’s essential to frame security issues and risks in a way that aligns with the business’ key priorities.

The CISO’s job may seem hyper-focused on technical and administrative capabilities, but success is determined by relationships and articulation of how cybersecurity is driving business success. The ability to incorporate your efforts in both strategic and tactical business operations is critical to the success of the role and the overall program.”

Ramesh Srinivasan, Head of Global Cybersecurity, Americold
Governing Body Member of the Atlanta CISO Community

My advice would be to learn as much as possible about the business processes, the organisation, and your stakeholders. You should be able to speak the language of your stakeholders before you discuss security threats and risks. Use this knowledge to create synergy in goals and set up collaborations.”

Kay Behnke, CISO, Genmab
Co-Chair of the Benelux CISO Community

Your communication is critical — in setting the culture of your team, developing others, and developing support and relationships with key stakeholders.”

Paul Connelly, Vice President & Chief Security Officer, HCA Healthcare
Governing Body Member of the Atlanta CISO Community
 

Learn from Your CISO Peers

Members of Evanta's CISO Communities get together regularly to discuss their shared challenges and help each other combat threats and manage risk at their organizations. Apply to join your local CISO Community, and take a look at the calendar to see when your CISO community is gathering next.