Cybersecurity professionals often have highly demanding roles in an organization. They are required to possess the necessary technical skills for managing the security infrastructure across the entire organization, while also maintaining a proactive mindset for continually evolving the security strategy. Unfortunately, due to the large responsibility they bear, they can become easy targets for blame when security incidents occur. Nevertheless, despite the stress, cybersecurity jobs remain attractive to candidates.
The position of the chief information security officer (CISO) stands out as one of the most influential and well-paying roles within an organization, attracting a diversity of talent. While strong technical skills are key, CISOs must also exhibit resilience, unwavering focus, and a strong commitment to transparency.
Interestingly, candidates with nontraditional backgrounds offer unique benefits to the cybersecurity field, specifically CISO roles. “I’ve found that individuals that have faced adversity in their life tend to make better CISOs,” noted Amit Anand, senior analyst at the Everest Group. “The challenges they have had to face tend to make them more adaptable and better at communication and collaboration.
ITPro Today spoke with CISOs and CEOs from a variety of organizations to determine traits that either nurture or hinder a CISO’s success.
Do You Have What It Takes to Excel in CISO Responsibilities?
Key attributes like keen attention to detail, the ability to multitask, and self-motivation are valuable skills for a CISO. However, the most successful security professionals have the right personality traits that enable them to thrive in the industry over the long term.
A CISO must possess strong interpersonal skills, as leadership is integral to their work. That means CISOs often must strike a delicate balance between being both independent self-starters and effective collaborators. “You have to take initiative and bring forward, socialize, and implement security and compliance priorities for an organization,” said Anusha Iyer, the CEO of Corsha, an API security company. “At the same time, a CISO’s role is to protect an organization, so you have to work with literally everybody in the organization from the CEO and CIO to the office administrator to the UI developer.”
In the world of cybersecurity, it is not a question of if a cyberattack will occur but rather when. CISOs must accept that dealing with risk and vulnerabilities is central to their work. In a role where threats are constantly looming, qualities like humility and accountability are priceless. A CISO who can take responsibility and learn from their trials will cultivate trust within their organization.
The ability to communicate clearly, both in technical and non-technical terms, is a necessity for any IT worker. However, an exceptional CISO must also be a skilled storyteller. Iyer explained how CISOs can use storytelling to strengthen a company’s commitment to security: “In the role of a CISO, you often find yourself at the crossroads of various organizational functions. You must be able to communicate and rally support for cybersecurity initiatives, even when they may not be top of mind for everyone. Think of it as weaving a compelling narrative that helps others understand the importance of security, even in the face of competing priorities like new features and roadmaps.”
As with any profession, a genuine passion for the work is what can elevate a CISO from a place of mere proficiency to one of innovation. Having a sincere love for the work not only strengthens one’s commitment to security but also spurs personal and professional growth. “Those who excel in the field of cybersecurity tend to be open to new opportunities,” said Trevor Hilligoss, senior director of security research at SpyCloud. “The field of cybersecurity is constantly evolving, and those who are unable or unwilling to match pace with the field’s growth will be quickly relegated to the sidelines.”
Curiosity and pragmatism are also essential qualities for CISOs to have. As problem-solvers, CISOs must be able to examine issues from all angles before acting. “A CISO must be adaptable to respond effectively to new and evolving cyber threats,” Anand said. “This includes adjusting security strategies, implementing new tools, and reevaluating risk assessments as the threat landscape changes. Cyber threats evolve, and new vulnerabilities emerge regularly. A CISO must engage in continuous learning to stay informed about emerging risks, security trends, and the latest cybersecurity tools and techniques.”
Traits a CISO Shouldn’t Have
Understanding the key qualities of a strong CISO is helpful, whether you’re part of a hiring committee or a CISO seeking growth. Equally important is recognizing which traits can be detrimental to an organization.
A culture of shame hinders transparency and erodes trust, ultimately jeopardizing the entire organization. That’s why a commitment to nonjudgment is arguably the most crucial CISO trait.
“When you step into an organization as a CISO, it’s important to resist the urge to pass judgment,” Iyer advised. “It’s easy to say, ‘Why were things done this way?’ or ‘Why wasn’t a secrets manager used and certificates rotated?’ However, this kind of questioning doesn’t help with building trust and getting buy-in.”
Since risk is an inherent factor of cybersecurity, a CISO must not have a risk-averse mentality. The ability to quickly and accurately assess risk, particularly in high-pressure situations, is a vital trait. Besides dealing with threats, CISOs must be willing to embrace certain risks in terms of innovation – for example, by adapting to new technology and capitalizing on opportunities that arise.
However, while a healthy comfort with calculated risk is necessary, there must be balance. An overly reactive CISO can be a liability. “A reactive mindset increases vulnerabilities, raises the risk of damage, raises costs, erodes stakeholder trust, drains resources, misses security opportunities, causes inefficiency, and can result in regulatory noncompliance,” Hannan said.
Room For Improvement
Personality traits may be innate, but they are not necessarily unchanging. Whether you are pursuing a career in cybersecurity or furthering your existing career, it's important to evaluate your ethics, interpersonal abilities, and values. Understanding and accepting your strengths and weaknesses serves as the critical first step toward growth and adjusting your workplace behaviors.
CISOs who lack integrity or a strong dedication to social responsibility not only face a higher risk of burnout but can also pose serious risks to their organization. However, organizations must share equally in the responsibility to establish a clear code of ethics and uphold it consistently. A workplace culture that promotes transparency, honesty, and ethical conduct reinforces integrity. This is achieved through well-defined codes of conduct, whistleblower protection, and ethical leadership, all of which set the standard for integrity.
“A culture that tolerates unethical behavior, prioritizes short-term gains over long-term ethics, or lacks clear ethical guidelines can erode integrity,” said Nabil Hannan, field CISO at NetSPI, a penetration testing provider.
CISOs should never feel siloed. Organizations need to offer support for their cybersecurity professionals. An alarming 94% of CISOs feel that they are overworked, according to a recent study by Cynet. To address this, organizations must have appropriate backups in place for CISOs when they take time off (e.g., a vacation without urgent calls about security concerns). Access to mental health resources is also important, especially in a field as high-pressure as cybersecurity.
Moreover, mentorship can play a role in providing helpful guidance and support. Newer and less experienced CISOs often find themselves in situations where they lack clarity on the best course of action. It can be highly beneficial to have a mentor outside the organization who can offer impartial advice and guidance on specific challenges. Organizations can also explore the option of using virtual CISO services for additional support. Additionally, there are classes and training programs available for CISOs, offering opportunities to build a peer network, Anand noted.
ITPro Today asked experts across the field of cybersecurity for some tangible ways that CISOs can succeed and foster a culture of inclusion, nonjudgment, and innovation at their organizations. Here’s what they said.
Anusha Iyer, CEO of Corsha
“By emphasizing improvement over criticism, [an organization] can work together to build trust internally while enhancing the overall security posture of the enterprise.”
“Day-to-day traits most important [for CISOs] to foster include things like transparency and information sharing. In order to get folks comfortable with sharing and collaborating (which is critical to a CISO understanding the environment they are trying to protect), people need to feel safe and comfortable communicating even when things have gone sideways. Keep the blame out of it.”
Amit Anand, senior analyst at Everest Group
“Ultimately, a CISO should adapt their approach based on the organization's unique needs and circumstances, knowing when to take the initiative and when to collaborate effectively to achieve cybersecurity objectives.”
Nabil Hannan, field CISO at NetSPI
“Most CISO job descriptions focus on applicants with technical acumen but often fail to include the soft skills needed (i.e., communication, critical thinking, and leadership). For example, an essential component of the CISO role is understanding how an organization makes money and brings value to its customers. Often, threat actors will approach attacks based on where the money is. As a result, CISOs require soft skills to better make the connection between how cybersecurity fits into an organization’s broader financial picture.”
Michael Mestrovich, CISO at Rubrik
“The biggest thing the company can do to help the CISO is support them in their messaging, in their actions, and their interactions. Show that cyber is important to the success of the company [and] support the CISO in their policy objectives [and] their rules and regulations. That is more helpful than anything else.”
Larry Whiteside Jr., CISO at RegScale and president of Cyversity
“Many organizations write up job descriptions without fully understanding the type of CISO they need. Every CISO role is not the same, so it's important to know what type of CISO an organization needs so they can select the proper candidate for the role.”
“Screening for a CISO’s sense of social responsibility is fairly easy. It's as simple as asking the question about where their passions lie.”
Take the CISO Personality Quiz
Answer these seven questions honestly to see if a CISO role is a good match for your personality.