Seven things effective CISOs do

Today’s CISO plays a pivotal role not only in defining technical standards and security policies, but also in assuring customers of the security of their data and validating security controls to regulators. Many are struggling with this transition because they have been given these responsibilities without any real authority or visibility within their organizations. They also need a new set of skills to successfully fulfill their responsibilities.

MORE ON CIO.com

Your Guide To Good-Enough Compliance

Should Social Networks Be Banned at Work?

After talking to many successful CISOs of global organizations over the past year, Forrester Research identified seven practices that make them effective in their role.

1. Let Your Strong Moral Compass Guide You—Always

Forrester found that successful CISOs pointed to ethics and morality as an absolutely essential tenet of their role. Many said that they also look for this habit more than anything else when selecting staff for their security organizations.

Many successful CISOs said the trust they’d established was the primary reason they gained influence. CISOs need to deal with their fair share of office politics, and having a principled stance in those dealings helps build trust and credibility. There might be times when a CISO needs to make tough choices, like stopping a critical IT project from going live, and CISOs must be perceived to act justly and fairly. (Read What Is the Moral Responsibility of a Business Leader?

2. Be Flexible and Nimble

Although information security is more visible in the organization and has a greater set of responsibilities than in the past, the CISO still has to compete for the limited resources and attention span of the organization. Some successful techniques include looking for creative solutions, being prepared to move quickly and taking down controls that become unnecessary.

One CISO said he challenges his team never to say “no” to the business, but instead to work collaboratively to come up with alternative solutions. Another said that during the first 30 days on the job he evaluated all the visible security controls and worked to eliminate those that were redundant or could be addressed in a nonintrusive way. (More on being nimble.)

3. Run Security Like a Business

CISOs need to present the program in a businesslike manner for it to be taken seriously. Running the security program diligently and consistently, and tracking progress against established metrics and parameters, demonstrates that you treat security as an important business goal. CISOs can achieve this by:

• Developing and sticking to a security program
• Staying one step ahead of business planning cycles
• Being consistent and diligent in his/her actions
• Emphasizing customer service

(Read The Future of Information Security: 2008 and Beyond.)

4. Make Patience Your Top Virtue

One CISO described the job as similar to that of a painter of San Francisco’s Golden Gate Bridge—a task that never ends. This requires careful identification of priorities and a willingness to accept that cultural change happens over long periods of time. Measure your progress in small steps, but deal swiftly with ethical, legal and customer service shortcomings.

5. Be the King Maker, Not the King

Striving to make others successful in their roles has two advantages for the CISO. First, it earns deep appreciation and trust from the person being helped, who can subsequently be counted on to be an ally. Second, people in an organization eventually figure out who is the real “brains behind the operation,” even if it’s not evident in the short term.

Some CISOs argue that they already have enough difficulty getting the attention of the business management, and that if they allow others to be the “kings” it will become even harder to command attention. This argument might hold to some degree in the short run, but CISOs who have longer-term success adopt a more hands-off approach.

6. Work the Corporate Psyche

CISOs must be able to understand the corporate culture and mold themselves into a role that will be most effective in their organization. They have to be able to work the corporate psyche to hit the right notes, get the necessary buy-in and influence the right people. In a collaborative environment, the CISO may need to influence many people, but in a top down organization, it is sufficient to influence the leaders.

The CISO cannot be the face of every project related to security. In fact, a much more effective solution is to assign security resources as consultants and advisors to projects.

7. Gather Data and Know How to Use It

Having a clear understanding of the security posture is a constant challenge for CISOs. Given the reams of data churned out by security products, it is impossible to get a holistic understanding of the overall risk posture and the effectiveness of security. Successful CISOs spend the time and effort to build comprehensive measurement and reporting capabilities. Many of them also benchmark themselves against peers and encourage a culture of learning from mistakes.

Khalid Kark is a principal analyst at Forrester Research. He is a leading expert in security management, compliance, best practices and services. For more information on Forrester, please visit www.forrester.com. Free Forrester research (free site registration required) is also available at www.forrester.com/cisohabits.