A recent study released by Gartner at their virtual security and risk management summit, revealed that only 12% of CISOs (chief information security officers) are considered “highly effective.” Before the breakdown of what Gartner listed as items for effectiveness, you should know that their study results are based on answers from 129 information risk management (security) executives.
When we look at the CISO, their role is one that has always held a lot of pressure, as well as little room for a voice where their (the CISO’s) voice should be heard, in the C-Suite and boardroom. In this regard, it is not necessarily the CISO who is to blame on the “highly effective” or “not so highly effective” note. If anything, all involved within the company are to blame because there isn’t a security business culture that is open to communication amongst the CISO, all employees, departments and executives. Until risk management is not made part of the business structure, operations, training, and so on; this will always lead to a less than highly effective CISO due to lack of communication on security and risk management program topics.
If any business wants to get a highly effective CISO, open communication is one of the top aspects that needs to be provided and made possible to that CISO. A company also needs to be open to implementing what is needed from a security standpoint and not object for no other reason than because one thinks there is no need for this item or that item, or because it is too much money for something deemed by one executive as unnecessary. Remember, who is the expert on security, you or the CISO? If you have a CIO, then the CISO is reporting to them, in which case, the CISO’s expertise and feedback should still not be undermined if open communication is to take place.
If on the other hand, there is doubt on the CISO’s competence, expertise, and knowledge in the risk management area or their transparency on such topics; that’s a very different story. It’s an issue, but nevertheless, there is a handy solution to it. You always have easy and quick access to companies like ours, NCX Group; who are always readily available to hold your hand through the risk management and cybersecurity process, to get the nuts and bolts of it all, to meet compliance requirements, patch vulnerabilities, train employees, and put together plans and procedures that will stick and that will get everyone to understand why and how to do it right.
Now, when we look at what Gartner uses to determine the effectiveness of the CISO, here’s what we find.
Their assessment is determined “by a CISO’s ability to execute against a set of outcomes” in the following four categories:
- Functional leadership
- Information security service delivery
- Scaled governance
- Enterprise responsiveness
Furthermore, the results reveal that the top performing CISOs hold five key behaviors:
- They initiate discussions on evolving norms to stay ahead of threats
- They prioritize keeping decision-makers aware of current and potential future risks to the enterprise
- They proactively engage in securing emerging technologies
- They have a formal and actionable succession plan
- They define risk appetite through collaboration with senior business decision makers
Also noted is that they meet three times more with non-IT stakeholders than the bottom-performing CISOs.
As you can see, all of these behaviors point to open communication within a company on risk management and security matters.
When you give your CISO a voice, and you listen, they will have things to say. When you trust who is leading your risk management program and security steps and listen, they will guide you towards what will keep your business safe and protected.
If you need risk management and security expertise, our experts are always only a phone call away.
Book your introductory security call now.
Or schedule your risk management meeting to get a highly effective CISO.
Photo courtesy of Who is Danny