Top performing CISOs spend time on professional development: Gartner

Sixty-nine percent of the top-performing chief information security officers (CISOs) dedicate time to their personal development, according to a new Gartner survey.

Comparing the bottom performing CISOs, only 36 percent committed time to personal development.

The data was collected from 2020 through 2023 as part of a Gartner benchmarking survey of 227 CISOs. Respondents were measured on key areas of CISO effectiveness, with those scoring in the top one-third ranked as “top performers.”

Chiara Girardi, senior principal, research at Gartner said as the CISO role continues to rapidly evolve, it becomes even more critical for security and risk leaders to protect time for professional development.

“Developing new skills and knowledge as the role changes is essential to effectively serve as a strategic advisor to the business – the new CISO paradigm,” she said.

The research identified five key behaviours that significantly differentiate top-performing CISOs from bottom performers. According to Gartner, on average, each of these behaviours is at least 1.5 times as prevalent in top performers than in bottom performers.

For example, the survey found that 77 percent of top-performing CISOs initiate conversations in the enterprise on evolving national and international security norms, such as hacking back and threat attribution. This is compared with just half of the bottom performers who do so.

Girardi said no organisation can be fully protected against every cyber-threat.

“The most effective CISOs stay apprised of existing and emerging risks so they can provide leadership with context around the most significant threats facing the business, to influence investments and risk decisions accordingly,” she said.

Additionally, 63 percent of top-performing CISOs proactively engage in securing emerging technologies like artificial intelligence, machine learning and blockchain, compared with just 38 percent of bottom-performing CISOs.

As AI adoption proliferates, CISOs are already behind the curve in assessing its risk impact, Girardi explained.

“Threat actors are always one step ahead, so CISOs must be more proactive in understanding the security impact of technologies like generative AI and communicating those risks with senior business leadership,” she said.

Top-performing CISOs proactively engage with senior decision-makers across the business, such as by building relationships outside the context of projects (65 percent) and by collaborating to define enterprise risk appetite (67 percent).

Furthermore, the most effective CISOs regularly meet with three times as many non-IT stakeholders compared to IT stakeholders, such as heads of sales, heads of marketing and business unit leaders.

Girardi said non-IT functions are key partners that can take technology and cybersecurity decisions outside of IT.

“By setting aside dedicated time to build relationships with senior business decision-makers across the enterprise, CISOs can cultivate an environment where decision-makers understand and care about cybersecurity, as well as consider cybersecurity implications in their decision making,” she ended.