Information security leaders – the CSOs, CISOs and IT Directors and Managers – play a critical role in today’s organizations. From safeguarding intellectual property to protecting sensitive customer information to managing internal IT controls to adhering to rampant government regulations, information security leaders have a lot on their plates.
The interesting thing I’ve discovered in recent years – formerly as an employee and now as a consultant – is that some information security leaders are highly successful in leading their cause while many are not. I’m convinced that, with all things being equal (i.e. executive support for information security, employee awareness, etc.), there are certain personality traits and leadership skills that are essential for success in this role.
The following are the four essential ones:
1. They have tons of common sense
Information security leaders that have a practical eye for what really works and what doesn’t from a procedural and technical perspective are the ones that succeed. Leaders that are strictly theoretical and work “by the book” (i.e. believing that firewalls and encryption equals the ultimate security) or solely on vendor recommendations (i.e. “this whiz-bang intrusion detection or patch management system is all you need”) are the ones that will ultimately fail.
Takeaway: Successful information security leaders make informed decisions. They don’t believe everything they hear. They realize that realistic security policies, plans and organizational awareness of the threats and vulnerabilities involved with IT are really what makes information secure.
2. They possess the ability to sell
Information security leaders that can sell the importance of security to their executives and employees are the ones that succeed. They possess a passion for what they believe. This is the key to persuasion – and the key to persuasion is motivation. They know that human actions are motivated by something – either the desire for gain or the fear of loss. This doesn’t mean they operate based on, but rather they educate themselves on, the risks involved in depending on IT for almost every aspect of business and they use their imagination to find positive ways to educate others. Leaders that operate on fear, uncertainty and doubt (referred to as FUD); force information security safeguards in the name of security without keeping the end goals in mind; and sell security based strictly on ROI and theoretical calculations of risk can’t last long.
Takeaway: Successful information security leaders focus on selling (disguised as education) security to others in a way that’s in terms of the end user experience (convenience and usability) and in terms of the business (what it will buy and protect the business from long term).
3. They are in touch with technology
Information security leaders that possess the ability to embrace technology, study it and understand where it does and does not fit in are the ones that will succeed. At the same time, these leaders have enough maturity to understand their limitations. They know when to delegate and to whom they should delegate overly technical issues. Leaders that ignore technology and view it as “the network administrator’s issue” or – at the other extreme – sink their heads so deeply into the highly-technical issues that they refuse to delegate and don’t focus on the more important business-level issues – will run out of gas quickly.
Takeaway: Successful information security leaders realize that technology is not the solution to information security problems, but know enough about it to be able to embrace it to enforce policies and make informed decisions on information security controls and purchases. A basic understanding, general interest, and even curiosity in technology can certainly help improve the information security leader’s chances of success.
4. They think long-term
Information security leaders keep their eyes on the horizon and are constantly creating innovative ways so that information security helps the business. This could come in the form of implementing new controls to make a system more useable while, at the same time, increasing the security of a system’s information. Or, it could come in the form of new business service offerings now that confidential information can be effectively secured. Leaders that won’t last are the ones that will lock down the information systems more and more without keeping the end user in mind. They also look out for short-term technical solutions such as overly-hyped encryption technologies or four-factor authentication systems that claim to solve problems that could otherwise be fixed with enhanced security policies and procedures or even lower-cost technologies.
Takeaway: Successful information security leaders realize that the long view sharpens their short view. They innovate, not for specific short-term fixes, but rather for long-term business improvements. They don’t major in minors but rather focus their organization’s unique talents and offerings on information security solutions that embrace the business. They know that long-term, inspiring trust rather than relying on tight controls, is best for everyone.
The bottom line is that successful information security leaders focus on leading rather than putting out fires. Their nature is to be proactive rather than reactive, and they keep things practical by focusing their efforts (and budgets) on areas with the highest payoffs. Perhaps most importantly, successful information security leaders know they must continually focus on their ongoing education to keep their skills sharp and keep up with the latest trends, staying on top of this critical business role that’s not going away.