CEO and co-founder of Cyber Leadership Institutea fast-growing community of cyber leaders from more than 50 countries.
The growing list of egregious cyber-attacks continues to drive demand for Chief Information Security Officers (CISOs). As the demand for cyber chefs rises, so do salaries. According to the 2022 Survey by Heidrick & Strugglesan executive search firm, companies must be willing to spend more than $1 million in total compensation package to attract a high-quality CISO.
But through my company’s work training hundreds of cyber leaders from more than 50 countries, I’ve found that a significant portion of new CISOs fail to make immediate impact, while some fail completely. Five important mistakes are distinguished by their impact.
1. Over-reliance on technical skills
Predictably, most cyber leaders have a technical background. But as new CISOs quickly discover, technical skills are a small part of the job. The technical competencies that have earned them accolades in functional roles are ill-suited to command respect from executive colleagues and lead complex change. When they can’t break free from operational duties, “techies” CISOs abdicate their leadership and strategy execution responsibilities. Without the C-suite and the board on their side, their cyber-transformation programs quickly run into rough water.
I once heard of a CISO who spent weekends bunkered in a data center configuring Internet proxies and security alert tools. The result was predictable: the CISO was not visible to management, suffered a burnout and the team felt powerless.
as the ISACA’s Investigation into the State of Cybersecurity in 2022 comes to light, there is an increasing demand for innovative CISOs with proven leadership skills, strategic thinking and the ability to take smart risks. This reality can be uncomfortable, but it must be faced. To increase the likelihood of success, new CISOs must proactively nurture deep relationships with decision-makers and translate complex technical matters into business language, while empowering their direct reports to make important technical and operational decisions.
2. Change what already works
Overwhelmed by excitement, some new CISOs make the strategic mistake of making big changes too quickly. This is more likely if the CISO is a remote collaborator, with little visibility into existing political dynamics or technical constraints.
A new CISO I worked with made this career-derailing step. Shortly after stepping into a new role, the CISO engaged a global consulting firm to create a new roadmap based on industry best practice. But a few months earlier, the board had already approved a solid strategy developed by the previous CISO. When the CISO presented their hasty strategy, everyone was upset, especially fellow executives who thought the new CISO should have known that they had to do a lot of consultation before wasting time and resources. The new CISO’s leadership team, most of whom had worked with the previous CISO, felt disrespected and collaborated to undermine the new strategy.
New cyber leaders often try to make their mark through bold actions. But without a delicate balance, hasty changes can create rifts that lead to mistrust, lost credibility and resentment. Compensate for this common pitfall by slowing down key stakeholders’ perspectives and incorporating them into cybersecurity strategies. With a strongly shared sense of purpose, stakeholders are more likely to throw their weight behind cyber transformation programs.
3. Feeding Their Insecurities
The fear of failure drives some new CISOs into irrational behavior. They fall into the dangerous trap of directly hiring subordinates who pose no threat to their position, who conform and do as they are told. By exposing critical strategy execution, leadership or board communication, this irrational behavior creates fertile ground for inefficiencies, backbiting, project delays and costly mistakes.
Winning CISOs, on the other hand, develop self-awareness and use proven competencies as a benchmark for building high-performing teams. They unlock the power of diversity by employing people who compensate for their weaknesses, amplify their strengths, fearlessly challenge assumptions, and openly embrace opposing perspectives. Getting this right requires not only self-awareness, but also courage and humility.
4. Neglecting hearts and minds
When formulating strategies, some new CISOs are tempted to focus on flashy concepts: zero-trust tools, defense against zero-day threats, machine learning algorithms, etc. But by putting excessive trust in technical solutions, they see the people and change management aspects of transformation. Most cybersecurity projects — data loss prevention, mobile device management, multi-factor authentication, and others — require employees to fundamentally change their ingrained habits and ways of thinking. Forcing users outside their comfort zone without careful planning turbocharges resentment, undermining the potential of security investments.
Leading CISOs put people’s hearts and minds, not technology, at the heart of their strategies. They hire experienced change managers to work closely with the technical teams to identify the pain points that will introduce new solutions, anticipate cultural resistance challenges and implement a range of measures to smooth things over. By giving the program manager key decision points, they free up time to manage key stakeholders, mentor direct reports, and closely involve the board.
5. Positioning Cyber Security as a Necessary Evil
The primary role of most CISOs is to mitigate risk. But focusing solely on mitigation positions cybersecurity as a traditional cost center with a very weak link to broader business goals. Without a compelling mission statement, new CISOs often struggle to gain board and executive support—a prerequisite for success. As a result, the CISO’s views are quickly knocked down and their budget requests hit brick walls, leaving them feeling like glorified system administrators.
To succeed, new CISOs must relentlessly match cybersecurity budget requests to business goals. Take SOC 2 Type 11 reports, for example, which are globally accepted independent reports on the effectiveness of an organization’s controls over data security/availability, processing integrity, confidentiality, and privacy. A proposal to move the organization towards SOC 2 certification that emphasizes the goal of speeding up reviews by potential customers is more likely to secure funding than a proposal simply asking to improve compliance.
It’s not that technical skills are unimportant, but my experience is that CISOs who have immediate and lasting impact do so by engaging closely with key stakeholders, positioning cyber transformation as a business enabler and handling complex change with care. . They also put people’s hearts and minds, not technology, at the center of everything they do.