Connect with us

Hi, what are you looking for?


Management & Strategy

Research Unearths 5 Secrets for Higher Performing CISOs

IANS Research has developed a model designed to help chief information security officers to maintain their inherent promise: that is, “to safeguard critical assets across space and time.”

IANS Research has developed a model designed to help chief information security officers to maintain their inherent promise: that is, “to safeguard critical assets across space and time.”

This model, which it calls CISO Impact, rests on two fundamental capabilities: technical excellence and organizational engagement. The former involves eight domains from access control to incident response; while the later includes seven factors from running infosec like a business to getting Business to own the risk.

From this model, combined with insights from more than 1,200 high-performing CISOs and information security teams, IANS has developed what it terms ‘The 5 Secrets of High-Performing CISOs’.

“The connected world is a dangerous place,” says Stan Dolberg, chief research officer at IANS Research, “and because of this, CISOs and their teams must lead their organizations to adopt safe business practices. However, the challenge remains that many CISOs are leading from a position of little authority or influence. The CISO Impact diagnostic provides specific ways for CISOs to assert information security leadership skills that are commonly found in organizations one step ahead on the maturity curve. Our goal is to inform, contextualize and prioritize where to invest skills, practices, and technologies. Armed with this strong guidance, CISOs can chart their own paths to leadership.”

Related: Learn More at SecurityWeek’s 2017 CISO Forum

Put bluntly, the purpose of this report is to help lower performing CISOs to perform better through using the methods already used by high performing CISOs. The five secrets to achieving career success are: 

Lead without authority

Advertisement. Scroll to continue reading.

Embrace the change agent role

Don’t wait to be invited to the party

Build a cohesive cyber cadre

It’s a 5 to 7-year journey to high impact

Each of these ‘secrets’ is discussed in the report and supported by statistical research evidence. For example, 100% of high performers lead despite having no authority, using “persuasion, negotiation, conflict management, communication, education.” Only 3% of low performers succeed in this.

For the second ‘secret’, the report states, “High-performing CISOs know the value of engaging to drive change,” says the report. “In the CISO Impact data, 3 out of 4 of high performers embrace this approach, compared to 1 in 20 of the low performers. To embrace this role, know the business, know yourself, and get ready to ‘make lemonade’.”

The third secret is not so widely adopted by the high performers. “More than half of high performers in the CISO Impact data set didn’t wait for executives to have an epiphany that security matters,” states the report. “They leveraged the power of simulation to generate the emotional experience of loss or compromise that is fundamental to an engaged executive team.” Less than 1% of low performers did similar.

In secret 4, “High performers patiently assemble and train more than a team — they culture a cyber cadre.” This approach is adopted by 85% of high performers; but by only 1.4% of low performers.

The fifth secret warns that there is no quick fix. “Five to seven years is a realistic time frame for building the trust, the program, the team, and the value of information security to the point where information security is baked in.” 

These five secrets provide excellent advice for improving company security and enhancing CISO careers. As stand-alone research, however, the report has several problems. The first is the distinction between a high performer and a low performer. The second is that it is easier to be a high performer in some companies than it is in others. 

Martin Zinaich (CSSLP, CRISC, CISSP, CISA, CISM and more) is information security officer for the City of Tampa, comments: “‘You must lead without authority’ — that is so very true! You have to do that both technically and from an organic business integration standpoint. Yet,” he told SecurityWeek, “the study shows that 60% of high performing security leaders report into risk and business roles (that have authority) — and 95% of lower performing CISOs report to the CIO (where they don’t). Those two stats show the simple reality that it is very difficult to lead without authority. Almost every non-technical safe corporate wide business practice I have seen where the CISO is lacking authority has come via post breach, regulations or working with the Audit department.”

The danger for research statistics is that some of the low performers could be high performers in a different company with more resources and/or a more receptive C-Suite. 

A similar issue occurs in the fifth secret; that is, ‘it’s a 5 to 7-year journey to high impact’. The reality is that few CISOs will remain in one position for that long — in fact, it is probably only the high performing CISOs already occupying a high-flying position with a security-aware company that will do so.

Such concerns, however, only impact the statistical difference between high and low performing security officers. The basic arguments contained within the five secrets remains quality advice for any CISO who wants to better secure his organization and improve his career potential.

The IANS Research report, “The 5 Secrets of High-Performing CISOs” will be presented at the RSA Conference next week.

 Request an Invite to  SecurityWeek’s 2017 CISO Forum at the Ritz-Calrton, Half Moon Bay.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.