Research shows various ways to classify CISOs based on role expectations, strengths and experience – distinctions that matter when it comes to ensuring that security leaders land in jobs where they will succeed.
When executives at a startup asked security leader George Gerchow to advise them on selecting a CISO, Gerchow recommended finding a security chief who had the skills to scale a security program, handle an incident, and engage with customers.
The company instead hired a highly technical CISO, one who worked like the hands-on architect Gerchow had been but lacked the leadership skills that were needed to calm clients when a security event eventually occurred. That skills deficit left the CEO scrambling to fill the void and customers feeling dissatisfied.
The story shows that the CISO was the wrong type for the role, says Gerchow, faculty at IANS Research and interim CISO/head of trust at MongoDB. The anecdote and Gerchow’s observations highlight the idea that leaders — including business executives broadly and CISOs in particular — can be classified into different types.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
These 10 steps can help CISOs and other cyber pros deal with the inevitable change they will face in an industry constantly challenged by new technology, widening business responsibilities, and an ever-evolving threat landscape.
If there’s one thing that’s inevitable in cybersecurity, it’s change. Ever-evolving technology requires new protections, threats seem to multiply and morph on a daily basis, and even the humblest pieces of software and hardware demand constant updating to stay secure.
That work has been increasing as the importance, visibility, and impact of security initiatives have ramped up in recent years. Now, more than ever, security programs often require stakeholders within and sometimes even outside an organization to change workflows, practices, and behaviors.
A disciplined approach to change management in security is a must, says Ken Knapton, who provides CISO and CIO services through his IT services firm Rocky Mountain CIO. “The idea is, if you’re going to make changes, there is a path you have to bring people down and it starts with ‘Here’s what we want to do,’” Knapton tells CSO.
To effectively lead organizations through change, Knapton uses a chart that maps the multiple steps necessary to successfully adopt new ways of working. The chart plots the movement from awareness and understanding of the desired change through compliance and adoption to, ultimately, internalization. It also lists the myriad consequences of resistance (including sabotage and canceled projects).
Knapton had successfully used this approach as a CIO. As he has more recently taken on CISO duties, he’s applying those same change-management skills to ensure that new security processes, policies, and technologies are adopted effectively.
Cybersecurity leaders need to widen their change-management skills
“Too often security leaders say, ‘We are going to do this because we have to’ without helping people along the path. That’s because they think everyone is going to jump on board. But that doesn’t work,” Knapton says.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
