Earlier this year, ESG and the Information Systems Security Association (ISSA) published a research report titled, The State of Cyber Security Careers. The report was based on a survey of 437 cybersecurity professionals, the clear majority of which were ISSA members.
Two-thirds of these cybersecurity professionals worked at an organization that employed a CSO or CISO. These individuals were then asked to identify the most important qualities that make a successful CISO. Here is a sample of the results:
- 50% of respondents said strong leadership skills were most important
- 47% of respondents said strong communication skills were most important
- 30% of respondents said a strong relationship with business executives was most important
- 29% of respondents said a strong relationship with the CIO and other members of the IT leadership team was most important
- 23% of respondents said strong management skills were most important
Based upon this list, it’s clear that successful CISOs need to be strong business people who can work with business and IT executives. This is an important consideration since many security professionals are deeply rooted in the technology rather than the business aspects of infosec.
So, if these are the characteristics that influence CISO success, what determines failure? Cybersecurity pros were also asked what the most likely factors were that caused CISOs to leave an organization. The data indicates that:
- 31% said CISOs leave when the organization does not have a culture that emphasizes cybersecurity
- 30% said CISOs leave when the CISO is not an active participant with executive managers or the board of directors
- 27% said CISOs leave when they are offered a higher compensation package at another organization
- 23% said CISOs leave when the cybersecurity budget is not commensurate with an organization’s size
- 22% said CISOs leave when the IT organization ignores or minimizes cybersecurity as part of its planning and decision making process
Looking across all this data, CISOs need to be strong leaders, communicators, influencers, and schmoozer who can translate cybersecurity risk into metrics and ideas for business planning. Alternatively, organizations must give CISOs the opportunity to take on this role or they will head for the door.
The entire ESG/ISSA report is available for free download here. Your comments, feedback and questions are welcome.