Effective CISOs spend more time engaging with non-IT leaders: Gartner

The most effective chief information security officers (CISOs) consistently engage with leaders outside the IT department, according to new Gartner research.

At Gartner’s Security and Risk Management Summit in Sydney yesterday, Arthur Sivanathan, director advisory at Gartner broke down the findings of a global study analysing the performance metrics, mindsets, behaviours and structural features of the role for more than 100 CISOs.

According to Sivanathan, “The place that most CISOs spend most of their time is with IT leaders, which uncomfortably has no correlation with CISO effectiveness, zero in fact.”

Meeting with IT colleagues is considered table stakes for the CISO and does not increase their overall effectiveness he said.

The research reveals that monthly meetings with the CFO, chief digital and analytics officer and head of sales, and quarterly meetings with the CEO, board of directors, head of communications, chief marking officer, external audit and the CHRO have a positive correlation with CISO effectiveness.

CISOs are over-investing hours of their time spent on security operations, staff management, policy and standard settings, project risk assessment and oversight, and vendor management, and underinvesting in stakeholder relationship building and strategic planning he said.
According to Sivanathan the biggest obstacle to displaying the behaviours and mindsets of an effective CISO is ineffective time management.

“When you were sent to the CISO role you stopped being an operator and started being an executive. Believe it or not, your ability to control your time has skyrocketed. You're the boss now. But too many CISOs don't treat their time like what it is, the scarcest resource,” he said.

Through the survey, the questions asked of CISOs included structural factors such as the company size and team size, as well as what they do and how they do it. Sivanathan said that the results are good news for CISOs.

“Most of what drives CISO effectiveness falls into those latter categories, mindsets and behaviours, which makes them 100 percent within your control.”