What Makes a Great Security Leader?
What does leadership mean to you? We all have our own ideas about what it means to be a good leader. For example, some people think leadership means guiding others to complete a particular task, while others believe it means motivating the members of your team to be their best selves. But while the definitions may vary, the general sentiments remain the same: leaders are people who know how to achieve goals and inspire people along the way.
We are fortunate to have two security leaders on our team, Lynn Mattice of risk management consultancy firm Mattice and Associates and Jerry Brennan of security executive search firm SMR Group, to define what enterprise security leadership means to them.
What are the most important leadership aspects of a CSO?
Lynn Mattice and Jerry Brennan: Chief Executive Magazine last year published the results of a survey they conducted of CEOs asking them to identify the top 10 skills needed for effective leadership. The results were as follows:
I. Adaptability to Change
II. Strategic Thinking
IV. Very Good Communicator
V. Being Trustworthy and Open
VII. Develops and Fosters Diverse Teams
IX. A Positive Mind-set
X. High Self-awareness
Based on what is important to CEOs, if a CSO embraced and demonstrated the skills listed above, success will be more probable…However, one must also take into account the personality traits of the individual CSO as well as the culture of the enterprise itself. If there are disconnects, then there is little probability the CSO has any chance of being successful in that particular environment.
To compare, visit www.SecurityMagazine.com/WebExclusives to see what CSOs view as the most important leadership traits for their position, as demonstrated by a survey conducted by SMR Group and Premier Profiling.
What can a new or junior security executive do in terms of networking to land a CSO role?
Mattice and Brennan: If their CSO is a member of ISMA and OSAC, there are a number of opportunities generated by both organizations to not only enhance their skill-sets, but also providing incredible opportunities to network with colleagues, peers and CSOs from a broad range of companies.
What can a new security executive do in terms of education to land a CSO role?
Mattice and Brennan: The most important skill for a CSO is to understand business, risk and process management. A number of highly respected major universities have outstanding programs and special conferences on these key topics, as well as online courses. The ability to identify and analyze risks and threats to the enterprise is vital to the survivability of the enterprise and is key to providing actionable intelligence to key decision makers. Providing relevant and timely intelligence that allows executive management to make informed decisions can dramatically enhance the value the CSO brings to the enterprise’s hierarchy.
How important is it to “sell” your skills and leadership qualities?
Mattice and Brennan: CSOs must first demonstrate that they connect with and are aligned with the business as well as the goals of the enterprise. A CSO has to have an “elevator speech” ready to go on a moment’s notice. If one is lucky enough to find a mentor in one of the key executives, they can not only guide the CSO with insights relative to what resonates with the particular senior management of the company, but can also act as a champion for the CSO. The other important aspect to consider is to develop key metrics that are meaningful to the enterprise’s leadership. While a number of measurements and metrics are helpful in managing the security functions, only key metrics should be provided to management, and those key metrics should be targeted at supporting the specific goals of the enterprise.
Is it important to know the IT aspects of an enterprise in order to land a CSO role?
Mattice and Brennan: In today’s world of the Internet of Everything, the more knowledge a CSO has of issues that can affect an enterprise's IT architecture, network, hardware, software and applications…the greater his or her prospects of expanding the CSO role once full engaged in the enterprise. There has been some consolidation of IT security under the CSO, but it has been slow to occur. A because a significant number of CSOs believe they have to be fully conversant in IT to manage the role. CSOs need to look at IT security in the same manner they look at any other function in their portfolio… it is just another set of processes that need to be managed. Bifurcating the CIO and CISO functions can result in an easing of tension and a more fluid movement to an environment of robust cyber threat management.