How CISOs Make Decisions

February 28, 2018 | By Phil Gardner, IANS Founder & CEO


As a tight-knit and justifiably reticent group, CISOs don’t typically share their best practices. So at the end of 2017, my firm, IANS, completed a research study based off the responses of 218 top security professionals. Below, I’ll be highlighting key takeaways from the research, which paints a picture of how CISOs make decisions.

How do effective CISOs make good decisions? Here are the three main findings:

1. CISOs rely on peer networks to help them succeed in their role, but access varies. 

The world of digital threats is constantly evolving. There is so much input, so many new attacks to understand and defend against. So, the ability to talk to peers and understand what matters — and, just as critically, what doesn’t — is tremendously important. CISOs are intrinsically collaborative. There’s a culture of sharing knowledge with trusted peers and experts. But developing and maintaining a quality network requires time and effort:

  • 73% of those surveyed spend 1 hour or more per month participating in formal peer networks. 
  • 50% spend five or more hours per month on informal peer networking. 

Many respondents cited participating in events as a common practice, but they also complained of a lack of access to experts capable of fueling new approaches and innovative thinking.

Still, our study revealed that when CISOs do connect with experts or well-informed, equally passionate peers — individuals who share their challenges and aren’t trying to sell them something — they work hard to maintain and cultivate these relationships. 

2. They understand the value of social media.

One successful CISO, who directs information security for a large financial services firm, is not the sort you’d expect to be active on social media. Meet him and a few trusted colleagues or peers in a conference room and he will open right up. But if he doesn’t know and trust everyone he is communicating with online or in person, he is extremely reticent. 

So, I was surprised when he told me that he counts social media as a critical source of information. Here’s the catch – he doesn’t share his concerns openly online. He rarely posts. Instead he listens, lurks, and reads. He watches, following hashtags and threads, and makes sure that he’s tracking new potential threats in real time.

Our study backed up his insistence on the value of social media: 

  • 74% of respondents use LinkedIn for work.
  • 64% read blogs as part of their job.
  • 32% have an active work-related Twitter account.

Social media is never the sole source of information or news, but it is a critical tool. The CISOs we surveyed don’t wait until the mainstream media breaks a story. As one CISO put it:

“When I have a need, I turn to the community. The community disseminates the latest threats and issues usually before the media knows it’s happening. It is a global affair and not a local one.”

3. They actively communicate with business leaders.

The best CISOs meet regularly with line-of-business leaders, department heads, and product managers. These conversations can be awkward at first. But they are critical.  

One West Coast CISO summarized the problem well:

“So many [CISOs] still talk in terms of technology, infrastructure and apps, but no one can understand them. This causes a real disconnect. They don’t trust us when we don’t communicate well.”

Another respondent noted that the differing mindsets of security and line-of-business executives:

“We’re not in a position to say ‘do this or die.’ You have to negotiate… You are right with your security view but understand that we’re still a business. It’s a balancing act.”

But, the best CISOs have overcome these challenges and are involved with ongoing, active dialog with business leaders. These discussions are not only about addressing business risks, but supporting business opportunities as well. As one high performing CISO summed it up by saying:

“We need to embed ourselves into the guts of the business and help our company grow and win in this market…”

Perfectly said.


What we do.

We deliver what CISOs and their teams need most: unbiased, practical advice; the ability to speak with professionals who understand their challenges; and peer interaction to keep their knowledge and skills fresh and up-to-date.

Decision Support

End-User Decision Support is our flagship offering delivered through an annual subscription service designed for CISOs and their teams. IANS connects you with independent experts and practitioners who have ‘been there, seen it, and done it,’ enabling you to accelerate your capabilities and make informed decisions.

Learn More

Consulting

We work with you to shape engagements and provision them with the right IANS Faculty experts. Your project will never be staffed with junior level consultants. Our expertise is built from hands-on experience. We staff your project with doers who recommend actions, and then help you take them.

Learn More

Events

Our events feature IANS Faculty members who offer a breadth of in-the-weeds advice and high-level guidance for the entire security team. Designed for you to engage with like-minded security professionals in a supportive environment, you’ll learn from a variety of industry approaches and use cases.

Learn More