According to a recent Gartner poll of chief information security officers (CISOs), 69% of top-performing CISOs schedule regular time on their calendars for personal and professional growth. In contrast, just 36% of CISOs with the lowest performance levels accomplish this.
Chiara Girardi, Senior Principal, Research at Gartner, said that "It becomes even more critical for security and risk leaders to protect time for professional development as the CISO role continues to rapidly evolve. The new CISO paradigm requires that in order to effectively serve as a strategic advisor to the business, new skills and knowledge must be developed as the role changes."
227 CISOs participated in this benchmarking study conducted by Gartner. Data was gathered between 2020 and 2023. Key areas of CISO effectiveness were assessed of respondents, and those who scored in the top one-third were classified as ‘top performers.’
Five crucial behaviors were found to be substantially different between top-performing and bottom-performing CISOs. Figure 1 shows that high achievers exhibit each of these actions at least 1.5 times more often than low performers do.
Fig. 1: Effective CISOs’ Top Five Game-Changing Behaviors
New and Developing Risks
According to the Gartner survey, for instance, 77% of top-performing CISOs start discussions on changing international and national security standards, such threat attribution and hacking back, inside their organization. In contrast, just half of the lowest achievers achieve this.
Girardi said, "No organization can be completely protected against every cyber-threat. The most successful CISOs remain aware of new and developing risks so they can inform leadership about the biggest threats to the company and help them make appropriate risk and investment decisions."
Furthermore, just 38% of poorly performing CISOs actively participate in safeguarding cutting-edge technologies like blockchain, machine learning, and artificial intelligence (AI), as opposed to 63% of top-performing CISOs.
Girardi added, "CISOs are already behind the curve in assessing its risk impact as AI adoption proliferates. CISOs need to be more proactive in assessing the security implications of technologies like generative AI and sharing those risks with senior business leadership because threat actors are always one step ahead."
Successful CISOs actively interact with top decision-makers across the company. For example, they establish rapport with them outside of project contexts (65%) and work together to define the enterprise's risk appetite (67%). Additionally, compared to IT stakeholders, the most successful CISOs typically meet with three times as many non-IT stakeholders, including business unit executives, heads of sales, and heads of marketing.
According to Girardi, "Non-IT functions are important partners that can take technology and cybersecurity decisions outside of IT. CISOs can foster an environment where decision makers understand and care about cybersecurity, as well as take cybersecurity implications into consideration in their decision making, by allocating dedicated time to develop relationships with senior business decision-makers across the enterprise."
