Gartner research reveals the good and bad habits of CISOs

A survey by Gartner has revealed that only 12% of chief information security officers (CISOs) excel in all four categories of the Gartner CISO Effectiveness Index. The 2020 Gartner CISO Effectiveness Survey was conducted among 129 heads of information risk functions across all industries globally in January 2020.

Gartner determines CISO effectiveness by a CISO’s ability to execute against a set of outcomes in the four categories of functional leadership, information security delivery, scaled governance and enterprise responsiveness. Effective CISOs are defined as those who score in the top one-third of the CISO effectiveness measure. Sam Olyaei, Research Director at Gartner, noted that today’s CISOs must demonstrate a higher level of effectiveness than ever before.

“As the push to digital deepens, CISOs are responsible for supporting a rapidly evolving set of information risk decisions, while also facing greater oversight from regulators, executive teams and boards of directors. These challenges are further compounded by the pressure that COVID-19 has put on the information security function to be more agile and flexible,” said Olyaei.

Gartner also revealed five behaviours that significantly differentiate top-performing CISOs from bottom performers. On average, each of these behaviours is twice as prevalent in top performers than in bottom performers.

“A clear trend among top-performing CISOs is demonstrating a high level of proactiveness, whether that’s staying abreast of evolving threats, communicating emerging risks with stakeholders or having a formal succession plan. CISOs should prioritise these kinds of proactive activities to boost their effectiveness,” said Olyaei.

The survey revealed that top-performing CISOs regularly meet with three times as many non-IT stakeholders as they do IT stakeholders. Two-thirds of these top performers meet at least once per month with business unit leaders, while 43% meet with the CEO, 45% meet with the head of marketing and 30% meet with the head of sales.

Daria Krilenko, Senior Research Director at Gartner, said CISOs have historically built relationships with IT executives, but digital transformation has further democratised information security decision-making.

“Effective CISOs keep a close eye on how risks are evolving across the enterprise and develop strong relationships with the owners of that risk — senior business leaders outside of IT,” said Krilenko.

Highly effective CISOs also better manage workplace stressors, with 27% of top-performing CISOs feeling overloaded with security alerts compared with 62% of bottom performers. Less than a third of top performers feel that they face unrealistic expectations from stakeholders, compared with half of bottom-performing CISOs. Olyaei notes that the most effective security leaders are those who can manage the stressors that they face daily.

“Actions such as keeping a clear distinction between work and non-work, setting explicit expectations with stakeholders, and delegating or automating tasks are essential for enabling CISOs to function at a high level,” said Olyaei.

Image credit: ©stock.adobe.com/au/Maksim Kabakou