4. Make Patience Your Top Virtue
One CISO described the job as similar to that of a painter of San Francisco's Golden Gate Bridge -- a task that never ends. This requires careful identification of priorities and a willingness to accept that cultural change happens over long periods of time. Measure your progress in small steps, but deal swiftly with ethical, legal and customer service shortcomings.
5. Be the King Maker, Not the King
Striving to make others successful in their roles has two advantages for the CISO. First, it earns deep appreciation and trust from the person being helped, who can subsequently be counted on to be an ally. Second, people in an organization eventually figure out who is the real "brains behind the operation," even if it's not evident in the short term.
Some CISOs argue that they already have enough difficulty getting the attention of the business management, and that if they allow others to be the "kings" it will become even harder to command attention. This argument might hold to some degree in the short run, but CISOs who have longer-term success adopt a more hands-off approach.
6. Work the Corporate Psyche
CISOs must be able to understand the corporate culture and mold themselves into a role that will be most effective in their organization. They have to be able to work the corporate psyche to hit the right notes, get the necessary buy-in and influence the right people. In a collaborative environment, the CISO may need to influence many people, but in a top down organization, it is sufficient to influence the leaders.
The CISO cannot be the face of every project related to security. In fact, a much more effective solution is to assign security resources as consultants and advisors to projects.
7. Gather Data and Know How to Use It
Having a clear understanding of the security posture is a constant challenge for CISOs. Given the reams of data churned out by security products, it is impossible to get a holistic understanding of the overall risk posture and the effectiveness of security. Successful CISOs spend the time and effort to build comprehensive measurement and reporting capabilities. Many of them also benchmark themselves against peers and encourage a culture of learning from mistakes.
Khalid Kark is a principal analyst at Forrester Research. He is a leading expert in security management, compliance, best practices and services.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.