What constitutes a great CISO?

Posting date:06 Sep 2019

In our recent white paper; The Evolving Role of the CISO, we interviewed Roy Whitehead – an established security professional with two decades of experience at the likes of Barclays, British Energy, Volvo, Jaguar Land Rover, British American Tobacco and Thomas Cook.

He describes himself as damming in his opinions towards most CISOs - comparing them to ‘heads of level folk’ and explores the idea that they are far too junior to be tackling a role that protects the security of an organisation.

He raises the argument that security is the most important aspect of any organisation and therefore requires a more senior level of CISO who have a far more diverse career history across IT and business management. This got me thinking. What does constitute a great CISO? 

For me – a great CISO's characteristic falls into five categories;

  • Experience. From the technical experience to the hands-on, this is vital for a great CISO. They should be well equipped with the knowledge and understanding of how to use different platforms and how to manage different functions.
  • Likeability and Communication. As a CISO, you need to be not just understood and appreciated but liked too. This is how you get buy-in from non-security personnel. Rather than sitting in an ivory tower and speaking a different language, CISOs must be accessible and remove the jargon from every conversation to ensure their demands are understandable to key stakeholders. Over time, their relationship with the board can become more transparent as executives learn to put more trust into the strategies, suggestions and requests made by the CISO in return. 
  • Starting from scratch. In my experience, a CISO that has built a function from bottom-up is usually a great one. The ability to mature a security function in the public sector for instance, where all stakeholders are risk adverse, bureaucratic and dismissive of security as an integral business principle – that is impressive stuff.
  • Getting your hands dirty. Decent CISOs aren’t always derivative from that environment but the same qualities can be recognised in a professional who has been able to open or expand a security function without using a managed service provider for instance. A person who is happy to get their hands dirty and get stuck in with the hands-on technical requirements. 
  • Ability to Align Security with Business Goals. A great CISO knows they are not there to control the business, but there to enable the business to do what they need to do in the most secure way. Great CISOs align their strategies with their firm’s mission values and understand how to communicate with business leaders in ways that are culturally aware, whilst enabling those leaders to make effective decisions. More importantly, a great CISO will always be playing a balancing act between what is good for security and what is good for the business.
In the paper, Roy describes his ideal CISO as a person equipped with a plethora of security qualifications, the ability to liaise, negotiate and conversate with non-security professionals and also, have experience in senior management roles in as many industries as possible.

For me, it’s simple. To be a great CISO you need a blend of security and general management experience – enabling you to build and maintain a security function while getting stakeholder investment, employee engagement and credibility throughout the organisation.

For full access to Roy's and our other contributors interviews, please follow the download link to our white paper below.