W I S E G AT E A N S W E R S

GUIDANC E & C OAC HING HANDBOOK

A CISO Handbook to Effective Leadership

& the Art of Influencing People
Learn how veteran CISOs earn recognition as good leaders and gain the support of others

A Gated BRAINTRUST of the Wisest in IT

Introduction
Whether or not you care about being the life of the party, the role of CISO demands more than just
technical skills. It also requires the ability to understand business needs, build cross-functional support
and mentor the next generation of security leaders. These soft skills aren’t always easy for security
practitioners. As one Wisegate CISO explains,

“
No offense to anyone out there, but technologists can be
socially inept. We often feel much more comfortable sitting
in front of a screen and a keyboard than having a face-to-face
meeting.”
By exchanging strategies and tips with their peers, Wisegate Members are investing in them-
selves, proactively improving their management skills and growing as IT leaders. In this report,
Wisegate makes available veteran CISOs’ leadership strategies—that are typically shared only
between Wisegate Members—to the wider IT security community with advice in 4 key
areas:

» Understanding the importance of soft skills—What leadership skills are

necessary for CISOs and can those skill be learned?
» Building influence and alliances within the organization—How
CISOs build cooperation and collaboration across the organization
(even if they lack executive authority).
» Mastering the art of effective communication—Strategies CISOs can
use to clearly make their point and sell their vision to the business.
» Identifying and mentoring future security leaders—Why it’s important
for CISOs to find and develop new security leaders within their team.
Understanding the Importance of Soft Skills
There is no question that technical skills are necessary for anyone working in IT, but as you Wisegate Membership Has
move up to executive levels, other skill sets come to the fore. As a Wisegate CISO notes, Its Advantages

“
It was very much a learning experience when I hit the CISO level to Learn how your peers use
find out that I needed to play nice with others in the sandbox. Not Wisegate to gain IT knowledge and
advice.
that I never did before, but it’s a game-changer most certainly.”
Wisegate Members are some
A Healthcare CISO explains, of the most experienced IT and

“
security executives and managers
You have to be friendly, able to communicate well, a salesman of sorts, in the world—and they trade the
have people respect you, and have a high level of common sense.” knowledge they’ve gained through
experience using Wisegate.

A recent survey of Sharing the Wisdom of IT Experts

Wisegate Members ranked » We don’t allow vendors,
Collaboration, Strategic analysts or IT rookies join.
» 100% of Members are senior-
Thinking and Influence as
level (IT executive, director or
the most important skills for manager).
security leaders. » 91% of Members have 16+
years experience in IT.
What skill(s) do you consider
essential in order to succeed Schedule your tour today!
wisegateit.com/resources/book-a-tour
in your organization?

Source: Wisegate, October 2013

CISO Guide to Effective Leadership & the Art of Influencing People

 It undoubtedly takes a special type of person to successfully step into the role of CISO. A Wisegate
Member describes the many hats he wears in the role of CISO as,

“
I feel like we’re part politician, part therapist, and part lawyer.”
The acquisition of soft skills isn’t always easy or comfortable for all security practitioners but with
commitment the necessary skills can be mastered. As a veteran CISO notes,

“
I had to learn through my career to get away from my desk, and go talk
to people. It’s taken a number of years, but now people who just meet me
classify me as an extrovert.”

Building Influence and Alliances within the Organization

As the above survey results illustrate, collaboration and influence are two key skills for security
leaders. But since information security officers often lack executive authority over the rest of the
organization, they must harness other skills to foster cooperation and collaboration. As a CISO in the
Banking and Financial Services industry states in reference to the above survey,

“
All leadership skills are important, but influencing without authority
stands out.”
Learning how to build win/win relationships is critical to success. As a CISO describes,

“
It’s necessary to build alliances within the organization so that you build
a rapport with these people, and understand what’s important to them.
As soon as you start supporting them, they’re going to turn around and
support you.”

CISO Guide to Effective Leadership & the Art of Influencing People

 Success Tips
Building alliance within the organization is no easy task, but Wisegate Members offer the following 4 success tips:

Tip #1: Keep people informed with Tip #2: Think like a negotiator
digestible updates Along the way, it is vital to concentrate on what is most important
to the business and to start thinking like a negotiator. This includes
Influencing others and building cooperation is an ongoing process
discover-ing what business units are working on in the next year,
that takes place on a daily basis. As a first step, you should
and what challenges they’re facing. Then you can figure out how
continually keep others apprised of what is happening. Giving
security can support these goals and initiatives.
a complete view of a situation can be lengthy and complex, so
find ways to cut your updates down to the most essential points,
communicate those in a concise manner, and provide access to Key to Success:
additional data that people can explore if they have the time or Figure out how security can support the goals and
interest. initiatives of the business people you are working with.

Key to Success: A Healthcare CISO explains,

“
Cut updates down to the most essential points and
communicate in a concise manner. All leadership skills are important, but
influencing without authority stands out.”

CISO Guide to Effective Leadership & the Art of Influencing People

A Municipality CISO describes his recommended approach as,

“
Let them know what’s in it for them and
why it’s important. You’ve got to look at
it from their point of view; they don’t
care about the mechanics or the technical
nature of it. It needs to broken down
into: What does it mean to the business?
Are you going to slow it down or speed it
up? And can you be a business enabler?”

An Information Security Officer from the Healthcare industry adds,

“
You have to overcome the old security manager
reputation of saying ‘No’ and show that you’re all
about business enablement. I tell my managers that
I’m here to not only help them do business, but to
do business securely. I see the security manager’s
job as the enablement of secure lines of business
communication. But, I have to keep in mind that
security should be in alignment with the value of the
data. Putting in gates and security for low levels of
information will be perceived as overkill.”
Tip #3: Make their job easier Tip #4: Act in service to others
To be successful you will need to gain the trust and support of The ultimate way to gain trust is by delivering what business
others across the business by showing them that you will make units want. Security leaders can no longer afford to be viewed as
their job easier, not encumber them with additional rules that keep a barrier to business. Sometimes this requires CISOs to ask their
them from doing their job. security teams to think creatively, as a Wisegate Member explains,

“
A Senior Security Manager for a Manufacturing Company says,
We have evolved all our people to think,

“
Let them know you want to take out the ‘not no.’ No is not the answer. It’s how. How do
complexity and make it easier but more secure we enable the business to do what they’re trying
for all. Security is here to help not hinder. to do in a safe manner or as safe of manner as
If you can show this, you’re on your way.” possible?”
Sometimes restrictions are necessary. In such cases, help
others understand why these actions are being taken and the It is better to meet the needs of the business rather than be
consequences of not adopting your recommendations. circumvented as a Director of Data Services states,

“
The Director of Information Security for a Logistic and We make sure that we deliver what our
Transportation Company states, business units need in a timely manner. We

“
We all want to enable the business and make do this to help business as well as reduce the
their lives easier whenever possible. If you possibility of shadow IT Groups.”
are doing that, the business will be more
understanding when something does need to
be taken away.”

CISO Guide to Effective Leadership & the Art of Influencing People

Mastering the Art of Effective Communication
The key skill for gaining cooperation and collaboration is the ability to communicate.
The Director of Information Technology of a Banking and Financial Services Firm states,

“
If you cannot write and speak as a member of my management
team then you probably are not someone I want interacting
with the rest of the organization. I can teach someone
technical skills, how to analyze data or even to think more
globally, but if they can’t articulate that vision or strategy then
it doesn’t matter how good they are.”

Communication is a broad topic, but it is a

skill that can be learned.
 7 Communication Strategies from Wisegate Members
Strategy #1: Know your audience Strategy #2: Be a detective
Before planning a paper or presentation, take some time to analyze Sometimes a little legwork goes a long way in ensuring success. One
who will be receiving the communication. It helps to know their Financial Services Risk Manager says he surveys other executives
interests, their concerns and their level of technical understanding. to find out the best approach given the audience. As he states,

“
A Wisegate Member states, You can gain insight from other executives

“
As I spend more time presenting to our who present on a regular basis. They’re usually
executive team, I realize that you have to happy to share the information of what works
appreciate how each of them likes to digest the and what doesn’t, and will generally help review
information.” any proposed presentations you have or any
messaging to help you refine it.”
The Director of IT Risk Management for a Financial Services Firm
says, A SECRET TIP: THAT MIGHT NOT BE SO OBVIOUS, BUT IT’S TRUE…

“
Administrative assistants can be extremely helpful as well, as a
Some people skip straight to the point and Wisegate Member shares,
don’t really care as much how you got to this

“
conclusion — they just want to know what Administrative assistants and executive
the meat of it is. Other people want to look at assistants are invaluable. They’ll tell you
all the other things you considered.” exactly what the executive’s personality is and
how to be successful.”

CISO Guide to Effective Leadership & the Art of Influencing People

 7 Communication Strategies
Strategy #3: Understand Strategy #4: Watch your
the importance of sales and language
marketing We’re not talking not swearwords (though you may
Sometimes the CISO role requires sales and want to be careful with those), but your tech terms.
marketing. If a business audience doesn’t get the need Unless your audience shares your level of expertise, you
for security, it might be necessary to sell them on may as well be delivering the talk in Medieval Latin. So,
security first, before getting to the main point of the pick the language they speak, not your own. Even if you
paper or presentation. are careful to define the terms and abbreviations early
on, every time they have to stop and think back to what
A Local Government CISO says, you said earlier, you have lost their attention for at least

“
that portion of the presentation.
Some executives think
information security is just an A Wisegate Member recommends,
add-on that’s not needed. In other

“
cases, they really get it. You have Stay away from technical jargon and
to discover who you’re addressing abbreviations because they’ll glaze
and where they’re headed, and over. You’ve got to take all that out
that takes time because they’ll and distinctly say what you’re trying
shut your message off if you begin to say to them.”
with the wrong slant.”

CISO Guide to Effective Leadership & the Art of Influencing People

 7 Communication Strategies
Strategy #5: Clarify your message Strategy #6: Focus on the result
Not only do you have to eliminate IT jargon, you have to know It is easy to get caught up in the nuts and bolts of a solution, but
how to translate information into the language of the audience— that is not what the audience wants to hear. They are likely more
whether it’s the language of business, personnel, finance or interested in the problem that needs to be solved and what the
education. Take the time necessary to deliver the exact message result will be from implementing your proposed solution.
you want, without getting sidetracked or causing the audience to
become lost or bored before you deliver the main message. A Wisegate Member states,

“
The IT Risk Manager for a Financial Services Firm explains, You should start with why
you’re there, what you’re

“
For every five-minute presentation, trying to accomplish, how
I spend hours refining that message you’re going to do that, and
and making sure that the points the results of that. If you can
are clear, that it’s not cluttered and summarize that quickly
that they really get out of it what they’ll appreciate it.”
they were looking for. It needs to
come home to them—why they
should care about this and how it
impacts whatever areas they’re
responsible for.”

CISO Guide to Effective Leadership & the Art of Influencing People

 7 Communication Strategies
Strategy #7: Keep their attention
For live presentations, it may be fun to create a detailed PowerPoint TIP: ADD SOMETHING HUMOROUS (WHEN APPROPRIATE)
presentation, but that can work against you. In most cases, people
don’t want to wade through too much detail. The Senior Security Manager for a Global Consumer Electronics
Firm gives the following example of a presentation he gave to the
The Senior Security Manager for a Global Consumer Electronics president. He had done a gap analysis and examined some old
Firm states, internal tools that never really worked—and everybody complained

“
about. As he shares,
If I can make it work, it’s better to set it up

“
so the first sentence or first bullet point I listed the tools, and then I put ‘sucks,’ and
answers their question. Make sure it’s just I did another one and it said, ‘sucks more,’
straight to the point. Within that first 15 then the third one I put ‘really, really sucks.’
minutes, if I see executives drifting off, They laughed at it,
I’ll have to do something. I always throw but then I put the
something in there to make it a little politically correct
humorous. I’ll add something just to catch one after that. I just
everybody off-guard—and make sure that did that just to break
they’re still awake.” the ice.”

CISO Guide to Effective Leadership & the Art of Influencing People

Identifying and Mentoring Future Leaders
Unless a CISO can handle all the leadership duties within the organization, a CISO needs to
foster others who can move up within the information security ranks. So how does one find a
good candidate to groom for a leadership position given all the hats required?

Here are some of the qualities that Wisegate Member CISOs look for:

» Tenacity—“Somebody who’s outgoing, who isn’t afraid to take on

challenges and who’s determined and tenacious in getting things
accomplished. As CISOs, we have to try again and again and again.”
» Vision—“Being able to see past the current state, faults and
shortcomings and have a vivid image of what state you need to move
your program to, and then being able to articulate that vision clearly to
others.”
» Understanding of Business—“If they don’t understand the business,
they will never be good security officers. It’s extremely important for
them to know what the business is, what the mission is and what the
leaders of the organization want to protect.”
» Versatility—“Security professionals have to be versatile, so I’m always
looking for somebody who can just wear a lot of hats no matter what
they’re doing.”
» Solution Oriented—“I’m looking for someone to bring me a solution,
and someone who can sit down and explain it to me, what they’ve
thought about and what their opinion is. That shows me that they’re
somebody who is willing to take the time and effort to look at a problem
from both sides and try to find a good workable solution.”
Developing Skills in Emerging Leaders
Once a potential security leader has been identified, how does one go about grooming that
person for a more senior position? A Wisegate CISO Member states,

“
Spend time with these promising folks. Take a look at their skills,
just in inventory, and help them with the skillsets they might need
assistance with.”
Here’s how Wisegate Members help develop the skills of their future leaders:
» Communication Skills—For those who are not naturally great speakers, several of the
CISOs recommended participating in Toastmasters. To improve written presentations,
college and online business writing courses can help.
» Business Classes—“I recommend others to take some basic business courses,” says one
CISO. “It’s not that you have to go after another degree, but you need to understand the
basics.”
» Cross-functional Teams—To develop collaborative skills, someone can be assigned
to a cross-functional team. Not only does it help the employee grow, but it provides a
manager insight into how that person interacts with others. “When you’re working with
others on a cross-functional project, you learn their traits and personalities,” says a Wisegate
Member. “By giving them the opportunity to lead cross-functional projects according to their
skills and experience, it helps them grow by osmosis.”
» Learning by Experience—“I let them handle some day-to-day situations,” says a Healthcare
CISO. “They’re going to learn by the incidents that come up in order to develop the toolkit
they need.”
» Assigning Responsibility—“They have to assume some accountability, and that’s going to
lead to credibility which is vital in any CISO.”

CISO Guide to Effective Leadership & the Art of Influencing People

 Weighing the Importance of Certifications
In addition to these skills, what about technical skills, and exactly how valuable are
security certifications?
Wisegate members weigh in:

» Certifications build credibility— “I believe them to be vitally important,” says one

CISO. “I’m going to go with the essence of why the certifications were created in the
first place, and that was to provide the business world with an assurance of somebody
having a baseline knowledge of information security and/or how to manage information
security.”
» A good way to get in the door— “It’s a basic requirement if you’re talking to a recruiter
and an HR person, because those are the keywords they’re looking for,” says a Financial
Services Security Executive. “Lack of certification makes you stand out and you will have
people questioning why you didn’t put in the effort to sit for a six-hour exam for this
CISSP.”
» CISM maybe more valuable than CISSP for CISOs—Of the CISSP and CISM, the
CISM was viewed as more valuable for a CISO. “If I’m hiring people, I’m looking for
something like a CISM to show that you spent time to study,” says the Municipality
CISO. “If I’ve been working with somebody for a while and know their technical chops,
it’s not as important because I know who they are and what they can do.”
» Experience trumps the certificate—Bottom line, it comes down to experience. So
when looking for someone to move up into management, security certification is
not always enough. As a CISO states, “Comparing a candidate with only a CISSP to
another with a CISSP and some server and network certifications, for example, I prefer
someone with a more rounded background.”

CISO Guide to Effective Leadership & the Art of Influencing People

In Closing
As the role and responsibilities of CISOs continue to expand, current and future
security leaders will need to develop the soft skills necessary to thrive within the
business and ultimately establish influence without executive authority, master
the art of persuasion through effective communication and nurture the next
generation of security leaders.

Being part of Wisegate keeps senior IT practitioners abreast of evolving

security management trends and informed on which approaches their peers
find effective. In-depth discussions on how CISOs overcome career challenges
using effective leadership strategies continue online at www.wisegateit.com.

IT experts. Trading IT knowledge.

Wisegate is an IT expert network and information service that provides senior-level IT
professionals with high quality research and intelligence from the best source available—
their peers. Through live roundtable discussions, detailed product reviews, online Q&A and
polls, and timely research reports, Wisegate offers a practical and unbiased information
source built on the real-world experience of veteran IT professionals. No analyst theories or
vendor bias to cloud the information, just clear and straightforward insight from experienced
IT leaders.

Would you like to join us? Go to wisegateit.com/request-invite/

to learn more and to submit your request for membership.
PHONE 512.763.0555 | EMAIL [email protected] | WEB www.wisegateit.com