Sam Olyaei, research director at Gartner says CISOs must demonstrate a higher level of effectiveness than ever before.
“As the push to digital deepens, CISOs are responsible for supporting a rapidly evolving set of information risk decisions, while also facing greater oversight from regulators, executive teams and boards of directors. These challenges are further compounded by the pressure that COVID-19 has put on the information security function to be more agile and flexible.”
The 2020 Gartner CISO Effectiveness Survey was conducted among 129 heads of information risk functions, across all industries, globally in January 2020.
Gartner’s measure of CISO effectiveness is determined by a CISO’s ability to execute against a set of outcomes in the four categories of (i) functional leadership, (ii) information security service delivery, (iii) scaled governance and (iv) enterprise responsiveness.
Each respondent’s score in each category was added together to calculate their overall effectiveness score. Gartner defines “effective CISOs” as those who scored in the top one-third of the CISO effectiveness measure.
Most read: How C-suites should see security
Top-performing CISOs demonstrate five key behaviours
Of the factors that impact CISO effectiveness, Gartner revealed five behaviours that that significantly differentiate top-performing CISOs from bottom performers. On average, each of these behaviours is twice as prevalent in top performers than in bottom performers (see Figure 1).
Figure 1: Prevalence of behaviours among CISOs by performance
“A clear trend among top-performing CISOs is demonstrating a high level of proactiveness, whether that’s staying abreast of evolving threats, communicating emerging risks with stakeholders or having a formal succession plan,” said Olyaei. “CISOs should prioritise these kinds of proactive activities to boost their effectiveness.”
The survey also found that top performing CISOs meet with three times as many non-IT stakeholders as they do IT stakeholders. Two-thirds of these top performers meet at least once per month with business unit leaders, while 43% meet with the CEO, 45% meet with the head of marketing and 30% meet with the head of sales.
“CISOs have historically built fruitful relationships with IT executives, but digital transformation has further democratized information security decision making,” added Daria Krilenko, senior research director at Gartner. “Effective CISOs keep a close eye on how risks are evolving across the enterprise and develop strong relationships with the owners of that risk – senior business leaders outside of IT.”
Advocates of security as an enterprise issue
Jeff Yong Xun Xie, senior market analyst for Security at IDC Asia/Pacifc says CISOs/CIOs need to recognize and advocate that security issues are not IT problems.
“Security issues are business challenges that need to be addressed with business-strategy-aligned solutions. As the reliance on technology increases, maintaining oversight on the inventory of connected devices within the enterprise will provide strategic key risk indicators to better manage security,” he added.
IDC’s Future of Trust framework highlights the elements of trust that enterprises should focus on to achieve trusted outcomes. CISOs/CIOs should monitor the gaps in each of the elements continuously (Risk, Security, Compliance, Ethics, Social Responsibility and Privacy) and create strategic plans to bridge those shortcomings and maintain an acceptable risk level for the enterprise.
Effective CISOs are better at managing stress
The survey also found that highly effective CISOs better manage workplace stressors. Just 27% of top performing CISOs feel overloaded with security alerts, compared with 62% of bottom performers. Furthermore, less than a third of top performers feel that they face unrealistic expectations from stakeholders, compared with half of bottom performing CISOs.
Olyaei said as the CISO role becomes increasingly demanding, the most effective security leaders are those who can manage the stressors that they face daily.
“Actions such as keeping a clear distinction between work and nonwork, setting explicit expectations with stakeholders, and delegating or automating tasks are essential for enabling CISOs to function at a high level,” said Olyaei.