Flexibility, patience, business acumen, and mentoring are other keys
Other key attributes of the most successful CISOs include having the flexibility to look for creative solutions to problems and move quickly from one project to the next, remaining patient whenever possible, and running security as if it were a business unit. That latter talent requires the ability to gather important security and compliance data, plus knowing how to use it to defend related budget items and project work.
One of the most important assets for any CISO, Kark said, is to behave as a "kingmaker," someone who helps other people improve their own skills by acting as a mentor, rather than as a draconian ruler who merely gives commands and expects them to be followed. "CISOs need to help other people succeed and take over different responsibilities. This should be part of their overall security strategy," he said.
A related talent is not playing the blame game. "CISOs also have to be willing to take on a lot of the blame when things go wrong, even if it was someone else's fault. You don't want to take the blame for everything, but if you can stand up for someone else's mistake and use that to work on issues that improve the overall position of the organization, that's a great thing to do."
Value of deep technical skills is questioned
One aspect that the Forrester report did not cite as critical to a CISO's success was having a high level of technical skills. "Some people said yes, and others said no. This is an old debate," Kark said. "I think the key is that you absolutely need to have the ability to comprehend technical data, but you don't necessarily need the hands-on skills. Many successful CISOs don't focus on operational issues like managing firewalls, but they do need to be aligned with defining security policies and crafting the risk posture of their organization."
In fact, many CISOs who do have technical skills contend that the knowledge often leads to them getting tied down in too many operational decisions and projects, he said.
Regardless of a CISO's technical abilities, Kark said that it will become increasingly important for security leaders to move away from a bottom-up approach to security, where the focus is what tools to use, to a top-down approach driven by risk management and governance concepts. "These executives need to move from operational expertise into more of a role of a strategic thinker, from a policeman to a trusted adviser," he said. "They need to see themselves more as a consultant, as opposed to an auditor, and transition from a specialist in IT security to a generalist in overall business risk."