As a tight-knit and justifiably reticent group, CISOs don’t typically share their best practices. So at the end of 2017, my firm, IANS, completed a research study based off the responses of 218 top information security professionals. Below, I’ll be highlighting
key takeaways from the research, which paints a picture of how CISOs make decisions.
How do effective CISOs make good decisions? Here are the three main findings:
1. CISOs rely on peer networks to help them succeed in their role, but access varies.
The world of digital threats is constantly evolving. There is so much input, so many new attacks to understand and defend against. So, the ability to talk to peers and understand what matters — and, just as critically, what doesn’t —
is tremendously important. CISOs are intrinsically collaborative. There’s a culture of sharing knowledge with trusted peers and experts. But developing and maintaining a quality network requires time and effort:
- 73% of those surveyed spend 1 hour or more per month participating in formal peer networks.
- 50% spend five or more hours per month on informal peer networking.
Many respondents cited participating in events as a common practice, but they also complained of a lack of access to experts capable of fueling new approaches and innovative thinking.
Still, our study revealed that when CISOs do connect with experts or well-informed, equally passionate peers — individuals who share their challenges and aren’t trying to sell them something — they work hard to maintain and cultivate
these relationships.
2. They understand the value of social media.
One successful CISO, who directs information security for a large financial services firm, is not the sort you’d expect to be active on social media. Meet him and a few trusted colleagues or peers in a conference room and he will open right up.
But if he doesn’t know and trust everyone he is communicating with online or in person, he is extremely reticent.
So, I was surprised when he told me that he counts social media as a critical source of information. Here’s the catch – he doesn’t share his concerns openly online. He rarely posts. Instead he listens, lurks, and reads. He watches, following
hashtags and threads, and makes sure that he’s tracking new potential threats in real time.
Our study backed up his insistence on the value of social media:
- 74% of respondents use LinkedIn for work.
- 64% read blogs as part of their job.
- 32% have an active work-related Twitter account.
Social media is never the sole source of information or news, but it is a critical tool. The CISOs we surveyed don’t wait until the mainstream media breaks a story. As one CISO put it:
“When I have a need, I turn to the community. The community disseminates the latest threats and issues usually before the media knows it’s happening. It is a global affair and not a local one.”
3. They actively communicate with business leaders.
The best CISOs meet regularly with line-of-business leaders, department heads, and product managers. These conversations can be awkward at first. But they are critical.
One West Coast CISO summarized the problem well:
“So many [CISOs] still talk in terms of technology, infrastructure and apps, but no one can understand them. This causes a real disconnect. They don’t trust us when we don’t communicate well.”
Another respondent noted that the differing mindsets of security and line-of-business executives:
“We’re not in a position to say ‘do this or die.’ You have to negotiate… You are right with your security view but understand that we’re still a business. It’s a balancing act.”
But, the best CISOs have overcome these challenges and are involved with ongoing, active dialog with business leaders. These discussions are not only about addressing business risks, but supporting business opportunities as well. As one high performing
CISO summed it up by saying:
“We need to embed ourselves into the guts of the business and help our company grow and win in this market…”
Perfectly said.