10 rules for security leadership

I have worked as a security leader since the early commercial days of the internet, where the CISO role only existed in some areas of financial services. Participating in the growth and maturity of security as a business function has been an amazing journey. I have learned a lot of lessons on my own, through my personal experiences, or via my peers.

One thing I was not able to do was learn from experienced CISOs that have time and distance to reflect on how to best be successful as a CISO. I would have saved myself some painful lessons if I knew these foundational rules in the past. 

The role of chief information security officer (CISO) — and equivalent roles — is a high-stakes position. To thrive, CISOs must master a unique blend of technical expertise, business acumen, and people skills. 

In addition to the “head’s down” day-to-day functions — strategy, risk management, vendor/partner management, security assurance, governance, etc. — there’s a more important side of the job. Internal collaboration and communication with other executives, department heads, and stakeholders helps CISOs align security initiatives with business objectives. This includes participating in board meetings, aligning with business strategy, providing security updates, and collaborating with cross-functional teams.

By understanding their organization's DNA and cultivating a collaborative security culture, CISOs can make an indelible impact on their organization's cybersecurity resilience while maximizing their personal performance.

Drawing from the collective wisdom of industry experts, experienced cybersecurity professionals, and, of course, fellow CISOs, we explore the core principles that separate exceptional CISOs from the rest. From this discussion, we present 10 rules for security leadership: