Thinking too tactically. Until recently, it was enough to have a tech-savvy leader who played defense by rolling out robust security software and making sure it was kept up-to-date. Today’s CISO must have an enterprise-level understanding of cyber risks and be able to communicate them to the board.
For example, a tech services firm recognized its cybersecurity leader wasn’t business-minded enough to support the company’s solutions business — one, ironically, focused on cybersecurity. The leader could manage the security challenges, but struggled to get things done across a matrix organization, and wasn’t viewed as a peer by the other business leaders—a requirement if the solutions business was to grow.
Mismanaging the reporting structure. To whom CISOs report and what access and influence they have are as important as their qualifications and experience. The role must be senior enough for the CISO to gain the respect of C-level executives and the board.
Yet just because the CISO job touches technology doesn’t mean it should always report to the CIO. A security chief hailing from the legacy compliance world could be out of place working for the IT chief. Similarly, a CISO steeped in cyber everything might suffer under the chief risk officer.
Conflict of interest is another risk. It’s never easy to tell your boss that her network is the source of the organization’s cybersecurity problems, particularly when it will cost big money to fix. Yet this happens frequently when CISOs report to CIOs.
Smart companies respond to this issue in different ways. Some elevate the function; others split the role so its risk component reports to the chief risk officer, the IT security part answers to the CIO, and physical security is under the general counsel.
Overemphasizing technical qualifications. “Tech cred” shouldn’t eclipse communication, collaboration, influencing ability, and the candidate’s fit with company culture. For example, a CISO who comes from a government or military background (where security is often the only priority) may not be effective at encouraging colleagues to change deeply ingrained behaviors in order to avoid cyber risks.
Similarly, the new CISO who consorts largely with the organization’s tech community — and can’t speak the language of business — is not doing the job; one who puts the board to sleep with tech talk will not be invited back.
Too many companies don’t attempt board interaction.A 2015 PwC study on cybecrime found that 28% of security leaders make no presentations at all to the board. By contrast, forward-looking companies actively encourage CISO–board interaction, for example, by bringing CISOs in to co-present to audit committees, or by pairing CISOs with seasoned executives elsewhere in the business to learn the ropes.
Unicorn hunting. We have seen companies wait in vain to land the ideal security leader — someone who bundles tremendous risk savvy with executive chops, collaborative skills,and a terrific suite of cyber skills — only to lose well-qualified candidates to faster competitors. One company recently lost seven months and several good candidates in this way.
For any role, “perfect” is rarely manifested in one person, and cybersecurity is no different. It’s better to start with organizational fit and a systematic look at a candidate’s strengths against the organization’s future needs.
Full article at the WSJ.