Security leaders have never been more vital to the health of a company, and as you build out your security team there is more to consider than just technical aptitude. Their elevated importance is tied to the increased and inevitable risk companies currently face thanks to factors like advanced technology and globalization. Across industries, leading companies are asking their security leaders to focus on areas of the company they did not think about before. Areas like sales, product development, and general board interactions are prompting Chief Security Officers, CISOs, and other security leaders to be active beyond their traditional role in information technology.
More so than ever, this shift in organizational needs requires a different set of strengths in security leaders—qualities that extend beyond traditional technical skills. That foundational experience remains important, and the best security leaders are those with the knowledge and capability to hold the technical part of the organization accountable. But what other key attributes should your organization consider when hiring or developing a security leader?
A strong security leader must have the so-called “firefighter’s mentality.” No, you don’t want your building to be on fire when you bring in a security chief, and great security leaders don’t necessarily want to go into burning buildings.
Firefighters do more than run into flames. They work to prevent them.
Think of the care that’s taken to ensure buildings are up to code, dry grass is managed, and homeowners are educated on smoke detectors. Firefighters identify risk and vulnerability, and they establish processes to mitigate those risks because they know proactive work is essential to an effective prevention program. Fires will still occur, but ideally, the protective measures put into place will keep the flames from getting out of control. Okay, have I beaten this metaphor into the ground yet?
Your chief security leader should have the same mentality; they will prioritize the proactive work that will prevent issues, but aren’t afraid to jump in when something goes wrong. Moreover, they are seeking out the most vulnerable industries and companies, and running into the fire when others might be focused on self preservation. The best CISO/CSOs I know get excited about roles that will test their ability to both fight and prevent fires, and in today’s world, that includes just about every industry.
In high-risk environments, a balanced communication style is critical. Your security leader should be able to distill potentially worrisome information in a way that drives urgency, but not panic. The temptation, when asking for budget or resources, is to paint a picture that makes funding the security program a no-brainer. While communicating with the board, or within the broader organization, the security leader should be able to present business risks or gap analyses plus potential solutions in a way that instills confidence without driving fear.
First and foremost, an effective leader should be able to translate the complexities of their security awareness program into simpler terms. They must know what information should be included in broader communication to the full company, as well as the messages that resonate best within different functions of the organization. For instance, gamification or rewards might be effective with sales teams, while a more technical approach may connect to teams aligned with the product or service.
Collaboration should stretch well beyond the walls of your organization and it should also be airtight within those walls. Whether you’ve just hired your first security leader or have a well established function, CISO/CSOs should be in constant contact with executives from every function and business unit within a company. Privacy and data protection require cooperation among legal, engineering, data, and product teams. Third-party risk requires working closely with sales, business development, procurement, and M&A teams. These examples only scratch the surface of how deeply a security program is rooted in the organization.
If your leader is not closely aligned to other teams, you are at serious risk. The best, most effective leaders build cultures that deeply embed the security team within other functions of the business. Security should not be hiding in a dark room in the basement of your company’s IT group. Cross-functional work should be happening at all levels, and your security leader should be driving that collaboration.
How do you know whether your leader is a natural collaborator? You evaluate how effectively they leverage their network. Do they tap into close connections and resources to test ideas, innovate, and gather feedback? Successful CISOs and CSOs are those with the active networks. They are hyper-focused on advancing security initiatives across industries, and they openly share their ideas and learnings with other experts, and although it may seem blasphemous, even business competitors, for the overall security mission. Security leaders should allot a portion of their time each quarter for external collaboration, not only for the good of the company, but also for their own development.
Passionate and Disciplined Leader
It goes without saying that passion should be a key quality in any leader on your executive team, but when passion is met with a strong sense of discipline, that’s where you’ll find the greatest success. The best security programs have leaders with an infectious attitude that can be felt throughout your organization.
When every function in your business talks about security in the same terms, you know you’ve reached a maturity level that many programs don’t achieve. That success, more often than not, is the result of a passionate leader who takes a disciplined approach to implementing their vision. Security leaders are putting together programs that take 24-36 months to implement, requiring the ability to step back, look at and communicate the bigger picture, and set realistic milestones along the way. Those milestones should include clearly defined goals, metrics, and tools necessary to achieve success, and a great security leader has the discipline to define and hold the company to their vision for the program every step of the way.
The most effective programs are led by someone who can balance the role of “cheerleader” and effective operator, and I put passion and discipline together because the two qualities need to co-exist in a leader to be truly effective. When they do, it’s reflected in the culture, as well as in how success is defined and celebrated by the team. Passion and discipline are crucial in such a risky, sometimes paranoia-filled environment, and the combination goes a long way in keeping things light and effective.
Invest in developing your security leaders
By no means am I of the opinion that you should only focus on these qualities while looking for or developing your security leader; leading a security program takes a broad range of technical, industry, and security related skills. My point is, without these four key qualities, you are fighting with one arm tied behind your back.
Security leaders are on the frontlines protecting your business from a variety of potential threats, and digging into these characteristics during the interview process—or investing in them as you develop your existing team—is critical to the success of your security program and your organization as a whole.
If you’re interested in learning more about SPMB or how we approach identifying security leaders at the executive level, please contact us at spmb.com or contact the author, Radley Meyers, directly.