What successful chief information security officers are doing right

The role of the chief information security officer (CISO) has become increasingly mainstream and strategic in recent years. While mandates vary among organizations, the CISO’s role has evolved from being technology focused to one of a business enabler and risk manager.

More and more CISOs are reporting directly to the CEO or chief risk officer, sometimes the CIO, and often with a dotted line or strong alignment to legal and compliance functions. Many have direct responsibility for security risk, ensuring due care to protect sensitive data, and asserting that such data has followed the right chain of trust while ensuring the business continues to operate securely.

In CGI’s work with numerous organizations that have the CISO role, we have observed that the most successful CISOs are strong leaders who serve as the “glue” between the business needs and the operational security resources.

These successful CISOs:

• Are engrained in the business strategy, allowing them to fully understand the security risks, legal requirements and implications across business processes and the supply chain. They maintain a strategic view and keep tactical operations focused on strategic business goals.
• Are present, physically and logically. It is hard, not to mention risky, to imagine how such a role could be performed virtually. Successful CISOs are reading the pulse of their organization on an ongoing basis by being present and engaged with the business owners.
• Maintain and develop a pragmatic risk mitigation strategy that is realistic about budgets, and balances risk and cost.
• Are able to integrate security knowledge into every business function. This enables a holistic strategy instead of point solutions and silos.
• Ensure policies and ethical standards are understood by employees, from onboarding through ongoing performance management across all geographies.
• Don’t go it alone, but share the risk with trusted partners. As such, they demand requisite due diligence in contracts for managed security, advisory or auditing services and more. Since today’s partners often work across business areas, CISOs also ensure safeguards are in place for a holistic solution. They also provide these partners with the outcomes they want, rather than constantly trying and hiring to deliver everything internally.
• Demonstrate the value of chosen technologies and partners through measurable results. This means having visibility through executive dashboards as well as reporting on compliance, threats averted and costs saved from preventing network downtime and lost productivity and more.
• Constantly adapt to changing requirements, threats and technologies.

While CISOs have immense responsibilities and broad mandates, a common thread among the most successful ones is a tangible enthusiasm for the role. Their challenges and opportunities are fast-paced and exciting. Being in a position to improve and protect their organizations and influence their industry, while also being empowered to actively respond to attacks, is exciting. The significance of the role intensifies this enthusiasm. As a result, many CISOs choose to partner with likeminded experts and firms, like CGI, who share in this excitement and bring a “can do” attitude to the table.