W I S E G AT E A N S W E R S

GUIDANC E & C OAC HING HANDBOOK

A CISO Handbook to Effective Leadership

& the Art of Influencing People
Learn how veteran CISOs earn recognition as good leaders and gain the support of others

A Gated BRAINTRUST of the Wisest in IT

Introduction
Whether or not you care about being the life of the party, the role of CISO demands more than just
technical skills. It also requires the ability to understand business needs, build cross-functional support
and mentor the next generation of security leaders. These soft skills arent always easy for security
practitioners. As one Wisegate CISO explains,

No offense to anyone out there, but technologists can be

socially inept. We often feel much more comfortable sitting
in front of a screen and a keyboard than having a face-to-face
meeting.

By exchanging strategies and tips with their peers, Wisegate Members are investing in themselves, proactively improving their management skills and growing as IT leaders. In this report,
Wisegate makes available veteran CISOs leadership strategiesthat are typically shared only
between Wisegate Membersto the wider IT security community with advice in 4 key
areas:
Understanding the importance of soft skillsWhat leadership skills are
necessary for CISOs and can those skill be learned?
Building influence and alliances within the organizationHow
CISOs build cooperation and collaboration across the organization
(even if they lack executive authority).
Mastering the art of effective communicationStrategies CISOs can
use to clearly make their point and sell their vision to the business.
Identifying and mentoring future security leadersWhy its important
for CISOs to find and develop new security leaders within their team.

Understanding the Importance of Soft Skills

There is no question that technical skills are necessary for anyone working in IT, but as you
move up to executive levels, other skill sets come to the fore. As a Wisegate CISO notes,

It was very much a learning experience when I hit the CISO level to
find out that I needed to play nice with others in the sandbox. Not
that I never did before, but its a game-changer most certainly.

A Healthcare CISO explains,

You have to be friendly, able to communicate well, a salesman of sorts,

have people respect you, and have a high level of common sense.

A recent survey of
Wisegate Members ranked
Collaboration, Strategic
Thinking and Influence as
the most important skills for
security leaders.

Wisegate Membership Has

Its Advantages
Learn how your peers use
Wisegate to gain IT knowledge and
advice.
Wisegate Members are some
of the most experienced IT and
security executives and managers
in the worldand they trade the
knowledge theyve gained through
experience using Wisegate.
Sharing the Wisdom of IT Experts
We dont allow vendors,
analysts or IT rookies join.
100% of Members are seniorlevel (IT executive, director or
manager).
91% of Members have 16+
years experience in IT.

What skill(s) do you consider

essential in order to succeed
in your organization?

Schedule your tour today!

wisegateit.com/resources/book-a-tour

Source: Wisegate, October 2013

CISO Guide to Effective Leadership & the Art of Influencing People

It undoubtedly takes a special type of person to successfully step into the role of CISO. A Wisegate
Member describes the many hats he wears in the role of CISO as,

I feel like were part politician, part therapist, and part lawyer.

The acquisition of soft skills isnt always easy or comfortable for all security practitioners but with
commitment the necessary skills can be mastered. As a veteran CISO notes,

I had to learn through my career to get away from my desk, and go talk
to people. Its taken a number of years, but now people who just meet me
classify me as an extrovert.

Building Influence and Alliances within the Organization

As the above survey results illustrate, collaboration and influence are two key skills for security
leaders. But since information security officers often lack executive authority over the rest of the
organization, they must harness other skills to foster cooperation and collaboration. As a CISO in the
Banking and Financial Services industry states in reference to the above survey,

All leadership skills are important, but influencing without authority

stands out.

Learning how to build win/win relationships is critical to success. As a CISO describes,

Its necessary to build alliances within the organization so that you build
a rapport with these people, and understand whats important to them.
As soon as you start supporting them, theyre going to turn around and
support you.

CISO Guide to Effective Leadership & the Art of Influencing People

Success Tips
Building alliance within the organization is no easy task, but Wisegate Members offer the following 4 success tips:

Tip #1: Keep people informed with

digestible updates
Influencing others and building cooperation is an ongoing process
that takes place on a daily basis. As a first step, you should
continually keep others apprised of what is happening. Giving
a complete view of a situation can be lengthy and complex, so
find ways to cut your updates down to the most essential points,
communicate those in a concise manner, and provide access to
additional data that people can explore if they have the time or
interest.

Key to Success:
Cut updates down to the most essential points and
communicate in a concise manner.

CISO Guide to Effective Leadership & the Art of Influencing People

Tip #2: Think like a negotiator

Along the way, it is vital to concentrate on what is most important
to the business and to start thinking like a negotiator. This includes
discover-ing what business units are working on in the next year,
and what challenges theyre facing. Then you can figure out how
security can support these goals and initiatives.

Key to Success:
Figure out how security can support the goals and
initiatives of the business people you are working with.
A Healthcare CISO explains,

All leadership skills are important, but

influencing without authority stands out.

A Municipality CISO describes his recommended approach as,

Let them know whats in it for them and

why its important. Youve got to look at
it from their point of view; they dont
care about the mechanics or the technical
nature of it. It needs to broken down
into: What does it mean to the business?
Are you going to slow it down or speed it
up? And can you be a business enabler?

An Information Security Officer from the Healthcare industry adds,

You have to overcome the old security manager

reputation of saying No and show that youre all
about business enablement. I tell my managers that
Im here to not only help them do business, but to
do business securely. I see the security managers
job as the enablement of secure lines of business
communication. But, I have to keep in mind that
security should be in alignment with the value of the
data. Putting in gates and security for low levels of
information will be perceived as overkill.

Tip #3: Make their job easier

Tip #4: Act in service to others

To be successful you will need to gain the trust and support of

others across the business by showing them that you will make
their job easier, not encumber them with additional rules that keep
them from doing their job.

The ultimate way to gain trust is by delivering what business

units want. Security leaders can no longer afford to be viewed as
a barrier to business. Sometimes this requires CISOs to ask their
security teams to think creatively, as a Wisegate Member explains,

A Senior Security Manager for a Manufacturing Company says,

Let them know you want to take out the

complexity and make it easier but more secure
for all. Security is here to help not hinder.
If you can show this, youre on your way.

Sometimes restrictions are necessary. In such cases, help

others understand why these actions are being taken and the
consequences of not adopting your recommendations.
The Director of Information Security for a Logistic and
Transportation Company states,

We all want to enable the business and make

their lives easier whenever possible. If you
are doing that, the business will be more
understanding when something does need to
be taken away.

CISO Guide to Effective Leadership & the Art of Influencing People

We have evolved all our people to think,

not no. No is not the answer. Its how. How do
we enable the business to do what theyre trying
to do in a safe manner or as safe of manner as
possible?

It is better to meet the needs of the business rather than be

circumvented as a Director of Data Services states,

We make sure that we deliver what our

business units need in a timely manner. We
do this to help business as well as reduce the
possibility of shadow IT Groups.

Mastering the Art of Effective Communication

The key skill for gaining cooperation and collaboration is the ability to communicate.
The Director of Information Technology of a Banking and Financial Services Firm states,

If you cannot write and speak as a member of my management

team then you probably are not someone I want interacting
with the rest of the organization. I can teach someone
technical skills, how to analyze data or even to think more
globally, but if they cant articulate that vision or strategy then
it doesnt matter how good they are.

Communication is a broad topic, but it is a

skill that can be learned.

7 Communication Strategies from Wisegate Members

Strategy #1: Know your audience

Strategy #2: Be a detective

Before planning a paper or presentation, take some time to analyze

who will be receiving the communication. It helps to know their
interests, their concerns and their level of technical understanding.

Sometimes a little legwork goes a long way in ensuring success. One

Financial Services Risk Manager says he surveys other executives
to find out the best approach given the audience. As he states,

A Wisegate Member states,

As I spend more time presenting to our

executive team, I realize that you have to
appreciate how each of them likes to digest the
information.

The Director of IT Risk Management for a Financial Services Firm

says,

Some people skip straight to the point and

dont really care as much how you got to this
conclusion they just want to know what
the meat of it is. Other people want to look at
all the other things you considered.

CISO Guide to Effective Leadership & the Art of Influencing People

You can gain insight from other executives

who present on a regular basis. Theyre usually
happy to share the information of what works
and what doesnt, and will generally help review
any proposed presentations you have or any
messaging to help you refine it.

A SECRET TIP: THAT MIGHT NOT BE SO OBVIOUS, BUT ITS TRUE

Administrative assistants can be extremely helpful as well, as a

Wisegate Member shares,

Administrative assistants and executive

assistants are invaluable. Theyll tell you
exactly what the executives personality is and
how to be successful.

7 Communication Strategies
Strategy #3: Understand
the importance of sales and
marketing
Sometimes the CISO role requires sales and
marketing. If a business audience doesnt get the need
for security, it might be necessary to sell them on
security first, before getting to the main point of the
paper or presentation.
A Local Government CISO says,

Some executives think

information security is just an
add-on thats not needed. In other
cases, they really get it. You have
to discover who youre addressing
and where theyre headed, and
that takes time because theyll
shut your message off if you begin
with the wrong slant.

Strategy #4: Watch your

language
Were not talking not swearwords (though you may
want to be careful with those), but your tech terms.
Unless your audience shares your level of expertise, you
may as well be delivering the talk in Medieval Latin. So,
pick the language they speak, not your own. Even if you
are careful to define the terms and abbreviations early
on, every time they have to stop and think back to what
you said earlier, you have lost their attention for at least
that portion of the presentation.
A Wisegate Member recommends,

Stay away from technical jargon and

abbreviations because theyll glaze
over. Youve got to take all that out
and distinctly say what youre trying
to say to them.

CISO Guide to Effective Leadership & the Art of Influencing People

7 Communication Strategies
Strategy #5: Clarify your message

Strategy #6: Focus on the result

Not only do you have to eliminate IT jargon, you have to know

how to translate information into the language of the audience
whether its the language of business, personnel, finance or
education. Take the time necessary to deliver the exact message
you want, without getting sidetracked or causing the audience to
become lost or bored before you deliver the main message.

It is easy to get caught up in the nuts and bolts of a solution, but

that is not what the audience wants to hear. They are likely more
interested in the problem that needs to be solved and what the
result will be from implementing your proposed solution.

The IT Risk Manager for a Financial Services Firm explains,

For every five-minute presentation,

I spend hours refining that message
and making sure that the points
are clear, that its not cluttered and
that they really get out of it what
they were looking for. It needs to
come home to themwhy they
should care about this and how it
impacts whatever areas theyre
responsible for.

CISO Guide to Effective Leadership & the Art of Influencing People

A Wisegate Member states,

You should start with why

youre there, what youre
trying to accomplish, how
youre going to do that, and
the results of that. If you can
summarize that quickly
theyll appreciate it.

7 Communication Strategies
Strategy #7: Keep their attention
For live presentations, it may be fun to create a detailed PowerPoint
presentation, but that can work against you. In most cases, people
dont want to wade through too much detail.
The Senior Security Manager for a Global Consumer Electronics
Firm states,

If I can make it work, its better to set it up

so the first sentence or first bullet point
answers their question. Make sure its just
straight to the point. Within that first 15
minutes, if I see executives drifting off,
Ill have to do something. I always throw
something in there to make it a little
humorous. Ill add something just to catch
everybody off-guardand make sure that
theyre still awake.

CISO Guide to Effective Leadership & the Art of Influencing People

TIP: ADD SOMETHING HUMOROUS (WHEN APPROPRIATE)

The Senior Security Manager for a Global Consumer Electronics
Firm gives the following example of a presentation he gave to the
president. He had done a gap analysis and examined some old
internal tools that never really workedand everybody complained
about. As he shares,

I listed the tools, and then I put sucks, and

I did another one and it said, sucks more,
then the third one I put really, really sucks.
They laughed at it,
but then I put the
politically correct
one after that. I just
did that just to break
the ice.

Identifying and Mentoring Future Leaders

Unless a CISO can handle all the leadership duties within the organization, a CISO needs to
foster others who can move up within the information security ranks. So how does one find a
good candidate to groom for a leadership position given all the hats required?
Here are some of the qualities that Wisegate Member CISOs look for:

TenacitySomebody whos outgoing, who isnt afraid to take on

challenges and whos determined and tenacious in getting things
accomplished. As CISOs, we have to try again and again and again.

VisionBeing able to see past the current state, faults and

shortcomings and have a vivid image of what state you need to move
your program to, and then being able to articulate that vision clearly to
others.

Understanding of BusinessIf they dont understand the business,

they will never be good security officers. Its extremely important for
them to know what the business is, what the mission is and what the
leaders of the organization want to protect.

VersatilitySecurity professionals have to be versatile, so Im always

looking for somebody who can just wear a lot of hats no matter what
theyre doing.

Solution OrientedIm looking for someone to bring me a solution,

and someone who can sit down and explain it to me, what theyve
thought about and what their opinion is. That shows me that theyre
somebody who is willing to take the time and effort to look at a problem
from both sides and try to find a good workable solution.

Developing Skills in Emerging Leaders

Once a potential security leader has been identified, how does one go about grooming that
person for a more senior position? A Wisegate CISO Member states,

Spend time with these promising folks. Take a look at their skills,
just in inventory, and help them with the skillsets they might need
assistance with.

Heres how Wisegate Members help develop the skills of their future leaders:
Communication SkillsFor those who are not naturally great speakers, several of the
CISOs recommended participating in Toastmasters. To improve written presentations,
college and online business writing courses can help.

Business ClassesI recommend others to take some basic business courses, says one
CISO. Its not that you have to go after another degree, but you need to understand the
basics.

Cross-functional TeamsTo develop collaborative skills, someone can be assigned

to a cross-functional team. Not only does it help the employee grow, but it provides a
manager insight into how that person interacts with others. When youre working with
others on a cross-functional project, you learn their traits and personalities, says a Wisegate
Member. By giving them the opportunity to lead cross-functional projects according to their
skills and experience, it helps them grow by osmosis.

Learning by ExperienceI let them handle some day-to-day situations, says a Healthcare
CISO. Theyre going to learn by the incidents that come up in order to develop the toolkit
they need.

Assigning ResponsibilityThey have to assume some accountability, and thats going to

lead to credibility which is vital in any CISO.

CISO Guide to Effective Leadership & the Art of Influencing People

Weighing the Importance of Certifications

In addition to these skills, what about technical skills, and exactly how valuable are
security certifications?
Wisegate members weigh in:

Certifications build credibility I believe them to be vitally important, says one

CISO. Im going to go with the essence of why the certifications were created in the
first place, and that was to provide the business world with an assurance of somebody
having a baseline knowledge of information security and/or how to manage information
security.

A good way to get in the door Its a basic requirement if youre talking to a recruiter
and an HR person, because those are the keywords theyre looking for, says a Financial
Services Security Executive. Lack of certification makes you stand out and you will have
people questioning why you didnt put in the effort to sit for a six-hour exam for this
CISSP.

CISM maybe more valuable than CISSP for CISOsOf the CISSP and CISM, the
CISM was viewed as more valuable for a CISO. If Im hiring people, Im looking for
something like a CISM to show that you spent time to study, says the Municipality
CISO. If Ive been working with somebody for a while and know their technical chops,
its not as important because I know who they are and what they can do.

Experience trumps the certificateBottom line, it comes down to experience. So

when looking for someone to move up into management, security certification is
not always enough. As a CISO states, Comparing a candidate with only a CISSP to
another with a CISSP and some server and network certifications, for example, I prefer
someone with a more rounded background.

CISO Guide to Effective Leadership & the Art of Influencing People

In Closing
As the role and responsibilities of CISOs continue to expand, current and future
security leaders will need to develop the soft skills necessary to thrive within the
business and ultimately establish influence without executive authority, master
the art of persuasion through effective communication and nurture the next
generation of security leaders.
Being part of Wisegate keeps senior IT practitioners abreast of evolving
security management trends and informed on which approaches their peers
find effective. In-depth discussions on how CISOs overcome career challenges
using effective leadership strategies continue online at www.wisegateit.com.

IT experts. Trading IT knowledge.

Wisegate is an IT expert network and information service that provides senior-level IT
professionals with high quality research and intelligence from the best source available
their peers. Through live roundtable discussions, detailed product reviews, online Q&A and
polls, and timely research reports, Wisegate offers a practical and unbiased information
source built on the real-world experience of veteran IT professionals. No analyst theories or
vendor bias to cloud the information, just clear and straightforward insight from experienced
IT leaders.

Would you like to join us? Go to wisegateit.com/request-invite/

to learn more and to submit your request for membership.
PHONE 512.763.0555 | EMAIL info@wisegateit.com | WEB www.wisegateit.com