Top-performing CISOs reserve time for professional development

Just under 70% of the top-performing chief information security officers (CISOs) dedicate recurring time for professional development on their work calendars compared to just 38% of their bottom-performing counterparts, according to the results of a three-year study of more than 225 CISOs conducted by analysts at Gartner.

In a report titled Key behaviours driving CISO effectiveness, Gartner set out five habits that it believes are held in common by the most highly effective CISOs. On average, said the analysts, each of these behaviours is at least one and a half times more prevalent among the top performing CISOs than it is among the bottom performing.

“As the CISO role continues to rapidly evolve, it becomes even more critical for security and risk leaders to protect time for professional development,” said Chiara Giradi, senior principal, research at Gartner.

“Developing new skills and knowledge as the role changes is essential to effectively serve as a strategic advisor to the business – the new CISO paradigm.”

The analysts found those performing at the top of the game devoted time and energy to initiating discussions around the evolving cyber security landscape to stay ahead of threats, with 77% of the top performers doing this compared to 50% of the bottom performers.

“No organisation can be fully protected against every cyber threat,” said Girardi. “The most effective CISOs stay apprised of existing and emerging risks so they can provide leadership with context around the most significant threats facing the business, to influence investments and risk decisions accordingly.”

The top CISOs also spent time securing emerging technology, such as artificial intelligence (AI), blockchain and machine learning, with 63% of the top performers doing this compared to 38% of the bottom performers.

Girardi said many CISOs were still behind the curve in terms of assessing the risk impact of new technology, especially generative AI, given the enthusiastic take-up of such tech among threat actors for purposes such as crafting convincing phishing lures.

She added that CISOs in general needed to be more proactive when it came to understanding the impact of generative AI and communicating those risks with senior business leadership.

Indeed, building relationships and communicating openly with other senior decision-makers in the organisation was one of the habits that top-performing CISOs engaged in to a greater degree than the bottom-performers – 65% of the most effective CISOs did this compared to 37% of the least effective.

Crucially, these relationships paid off more when developed outside of the context of ongoing IT or cyber security projects, and the CISOs Gartner found to be most effective met with three times as many non-IT stakeholders – such as heads of human resources, marketing, sales, etc – than IT stakeholders.

Moreover, the most effective CISOs defined their organisations’ risk appetite through collaboration with other decision-makers and lines of business (LoBs) – 67% of the top-performers did this compared to 28% of the bottom-performers.

Girardi added: “Non-IT functions are key partners that can take technology and cyber security decisions outside of IT.

“By setting aside dedicated time to build relationships with senior business decision-makers across the organisation, CISOs can cultivate an environment where decision-makers understand and care about cyber security, as well as consider cyber security implications in their decision making,” she concluded.