Select region
Close filter

What Makes a Good CISO?

Having the right Chief Information Security Officer can be decisive in the organization’s cybersecurity efforts.

Editor’s note: This is the second article in a two-part series about cybersecurity preparedness. Read part I, “Does Your Organization Need a CISO or an External Advisor?” 

It’s time to think about cybersecurity as an existential threat to your business. As boards and senior leadership increasingly prioritize the issue, the question remains whether companies are prepared to prevent and manage cyber-attacks. From a board perspective, there are several tangible actions to strengthen cyber-preparedness and protect organizations from current and emerging threats, as we describe in our playbook, “Rewiring Boardroom Cybersecurity.”

The executive team is critically important, and having the right Chief Information Security Officer (CISO) can be decisive in the organization’s efforts. The role of CISOs has evolved significantly over the years, from heavily focusing on compliance to actively engaging with the organization and championing cybersecurity from the inside out. 

In the past, the CISO was often viewed as a roadblock to business operations, and their primary responsibility to ensure compliance with regulations and industry standards. However, as the threat landscape has evolved, so has the function. Today, the role is responsible for securing the organization's digital assets and data while actively engaging with the board and senior management, to ensure proper visibility and prioritization. This means working to democratize cybersecurity knowledge, presenting relevant facts, and fostering the right conversations. Additionally, the CISO must build a comprehensive incident response plan to thwart and minimize the impact of any successful attack.

Expanding the CISO’s Skills

Drawing on our work conducting multiple CISO searches around the globe, we gathered the most common business challenges our clients face and what skills their CISOs are tapping into to bridge the gap between operating with innovation at the core while keeping the organization safe from cyber-attacks. 

These include: 

Business challenge: Technical expertise with added complexity as new technologies and threats emerge.

  • Top skills: Executives must come with a strong track record within specific domains.

Business challenge: Engagement with the board and gravitas to influence actively throughout C-level to prioritize and allocate resources. 

  • Top skills: Executives must possess strong presentation and persuasion skills.

Business challenge: Development of business opportunities and innovation while shielding the organization without draining resources. 

  • Top skills: A strong business mindset and understanding, blended with a collaborative and pragmatic approach.

Business challenge: Collaborating with other areas of the business to incorporate security in the genesis of product development. Developing secure products from the start is way easier than patching a security "innocent" one. 

  • Top skills: Strong influencing and internal networking, and ability to drive change.

Business challenge: State actors and other attackers becoming more sophisticated, and sometimes coordinated. 

  • Top skills: A pre-emptive mindset, ability to understand and predict tendencies, in order to move one step ahead. Strong network to ensure rapid learning of new exploitable vectors or strategies. 

Business challenge: Larger teams, strong competition for talent and a need to ensure risks are identified and surfaced, not covered up. 

  • Top skills: Growth mindset, both to develop talent internally and to see in each breach an opportunity to learn and improve, rather than to punish for mistakes.

Bridging the Board’s Knowledge Gap

Given the highly technical nature of cybersecurity, the topic can become very complex, very fast, and board members can feel their knowledge and experience are not inadequate enough to engage, ask questions and help the company properly allocate resources to ensure an effective approach. 

This is where the CISO comes in.

The effectiveness of a CISO in communicating with the board can make a significant impact on the quality of discussions on cybersecurity. An effective CISO is a communicator and enabler. They must be able and willing to present information in a way that is easily understandable and without technical jargon, while a poor communicator may hinder the discussion by using language that is confusing or inaccessible. A critical part of the CISO’s role is to champion the issue and simplify it to enable a productive conversation in the boardroom.

CISOs who bring a business mindset and present risks and priorities in a language that is easily understood will help board members fulfil their fiduciary responsibility, and at the same time receive the required attention and resources. Ideally, the CISO will have the ability to progressively educate the board, helping it become savvier and more effective. One of our recently placed CISOs put together a short cybersecurity presentation to help board members bridge the knowledge gap.

What Does ‘Technical Expertise’ Mean in a Cybersecurity Context?

In addition to an expanded set of required abilities and skills, CISOs must also possess deep technical expertise. Below, we outline some high-level considerations for potential CISOs. They should have:

  • A strong network within government agencies (law enforcement, military backgrounds). Communicates actively to share discoveries and lessons.

  • Experience going through audits, not with a mindset to get an approval, but to improve security.

  • Not an "if," but a "when" mentality, focusing actively on prevention, as well as in detection and recovery.

  • A growth mindset, seeing events as unavoidable and as an opportunity to learn. They make sure the same vulnerability is not exploited twice.

  • An understanding of the importance of secure and rapidly accessible backup environments.

  • Experience operating in cloud environments, as well as deploying differing levels of network security.

  • A forward-looking mindset, with an understanding of how technology will evolve, what the company product roadmap is, and prepares a cyber security roadmap accordingly. 

As a major business risk across every industry, cybersecurity must be front and center. Armoring your systems against a potential attack, or at least ensuring they can recover from one, starts with having the right CISO in place, which has a ripple effect on the C-suite, workforce, and the board. Only then can companies stay ahead of the challenge and safeguard not only the business, but its entire ecosystem—which is only the first step of a continuous effort to incorporate cybersecurity

Learn more about Egon Zehnder’s Cybersecurity work.

Topics Related to this Article

Changing language
Close icon

You are switching to an alternate language version of the Egon Zehnder website. The page you are currently on does not have a translated version. If you continue, you will be taken to the alternate language home page.

Continue to the website

Back to top