The Post-Pandemic CISO

The disruptions of COVID-19 have amplified the legitimacy of several leadership best practices for cybersecurity executives, helping to crystallize those elements of the role’s persona for a time beyond the current pandemic era, according to emerging observations from chief information security officers and their peers.

Two pillars of that evolution – an enhanced level of influence across other senior decision makers and improved engagement of teams amid the pandemic – have provided a steppingstone that will further elevate the CISO role, executives said.

“This has helped us to focus and step up,” one large-enterprise CISO said. 

Starting in March, cybersecurity executives across North America, Europe and Australia have shared their latest insights during a series of candid, virtual “town hall” events. Organized through Evanta, a Gartner Company, these discussions provided regional, large-enterprise executive communities a peer-driven virtual venue to share ideas at a time when many found themselves working from home.

Among the earliest themes to emerge was the rapid advancement that many CISOs achieved in maturing their security programs despite massively disrupted work environments, an accomplishment that several attributed to the ability to make the case that the urgency of the pandemic left no other option.

“There is a joke going around that COVID-19 has done more for your digital transformation than anything else,” another CISO said.

Impactful Influence

In a June Evanta pulse survey of security executives, the vast majority of CISOs – over 90% - indicated they are growing or thriving as a leader amid the pandemic.

Almost half of respondents – 44% - said that they have grown as a leader. About 30% said the dynamics of the pandemic have revealed new areas for growth, while nearly one fifth – 18.3% - indicated they have thrived as a leader during this time.

In contrast, only 3% responded that they have struggled as a leader.

Large-enterprise CISOs said over the past few months that the dynamics of the pandemic have highlighted and amplified some existing ways their role effectively influences direct reports, senior leaders and other stakeholders across the organization. Stress-testing some known best practices has demonstrated how those strategies will apply going forward.

Firstly, many CISOs have seized on the narrative of the pandemic moment to drive buy-in for initiatives that have previously stalled – even during a time of massive business disruption.

With stakeholders across the organization able to grasp how bad actors are exploiting COVID-19, including a surge of fraudulent emails touting government aid or important internal announcements, CISOs have ridden a unique opportunity to tell a story of risk management that resonates widely across other roles. 

While increasing cybersecurity awareness among the public was already an asset for gaining buy-in, the pandemic has further highlighted the importance, in the words of one CISO, of “the power of the story.”

“It doesn't matter if security is in your job description, we say security is everyone's job. Everyone should play a role. Even if it's ‘see something, say something’ by reporting phishing messages or simple actions they can take,” said one CISO.

Gains made by leveraging messaging around pandemic risk include investments to advance a stalled multi-factor authentication program despite significant organization-wide budget cuts, rapid migrations to secure cloud environments and improved receptiveness to security awareness training from the C-suite to the frontline employee.

Engaging Teams

As CISOs indicated they are gaining improved buy-in from stakeholders and decision makers outside the security function, so too have several revealed success in engaging their own teams. With many security teams working remotely amid the pandemic, the success has far-ranging implications for the way security leaders manage and recruit talent going forward.

Several security leaders said they are finding their teams to be more productive in a work-from-home setting, and maintaining engagement and comradery has hinged on the soft skills of leadership and empathy. Team virtual “happy hours,” mandated 1:1s and flexible hours have helped to maintain fellowship among direct reports. 

“Working from home offers its own challenges, and there has been a need to be flexible and move to more asynchronous work. Encouraging video on collaboration tools, keeping up with one-on-one meetings and participating in virtual happy hours are ways we have remained connected,” said one CISO.

The case study of security teams working remote successfully could have a profound impact on the talent landscape for cybersecurity, several CISOs said. Many describe cybersecurity as a field with “negative unemployment,” making recruitment and retention a major ongoing concern.

Indeed, the number of unfilled cybersecurity positions is projected to reach 3.5 million globally by 2021, according to reporting from The New York Times.

As security programs prove their efficacy in a remote work environment, an expanded, remote talent pool could change the game.

“This is the future of our workforce – remote work,” one security leader said.

Leading Into the Future

The disruptions of the current pandemic have presented CISOs with a range of challenges – and opportunities. Yet the disruptive moment has also been a catalyst in many ways, giving the role a more prominent voice in leadership and overall business strategy.

As the world emerges more resilient from the pandemic, will the CISO role also emerge stronger?

“If I had to point out one thing that has evolved over the years in cybersecurity and the job of a CISO today, it’s a business problem, not an IT problem and that’s really the crux of it,” one CISO said.