If you always do what you’ve always done, you’ll always get what you’ve always got.”
This kernel of wisdom comes from a certain high-tech headhunter in the late 1980s, who passed it on as she was helping her candidates prepare for their next job. Twenty years later, it showed up again in “What Got You Here Won’t Get You There,” a best-selling business book by Marshall Goldsmith.
For today’s information security leader, it’s wisdom that’s still worth appreciating. The role of CISO is very much in transition, and it’s increasingly clear that the skills that got you there are not the skills that are going to keep you there, let alone move you forward. For those who aspire to become CISOs, the path to a leadership role in cybersecurity is not the same as it has traditionally been.
In the spirit of doing things differently, here are introductions to three specific dimensions of important changes for information security leaders and their teams if they want to make a bigger and more valued contribution to their organization.
As recommended in a strategy map for security leaders, successful next-generation CISOs should strive for their information security teams to be perceived by key stakeholders as being strong in both of two distinct roles:
While acknowledging that every person is different, it’s generally true that current information security leaders have come up through the ranks of technical experts. These are the skills that got you there — and indeed, these are the skills that continue to be in short supply. But the leadership role is now demanding a blend of technical and business skills. Think of it as a cross between the business-savvy technologist and the tech-savvy businessperson.
Helping the organization to manage not only the unrewarded risks of protecting its assets and minimizing downside, but also the rewarded risks of enabling its assets and maximizing upside, is the fundamental value provided by the business function known as information security. For this reason, the successful next-generation CISO should be extremely capable and highly confident when addressing the following four questions:
Identifying, assessing and communicating effectively about security-related risks — along with making sound business recommendations regarding what to do about them — is the very reason that information security leaders and their teams exist! Unfortunately, far too many are really struggling with how to address these fundamental questions and need to make a deliberate effort to develop the necessary skills.
Pushing one level deeper in this line of thinking, successful next-generation CISOs will have to figure out how to help themselves and their teams overcome three persistent challenges.
If we always do what we’ve always done in these areas, we’ll always get what we’ve always got. An information security leader needs to take a different approach in each of these three dimensions if they want to drive different and more valuable results.
All rights reserved 2022