Image: marchmeena29, Getty Images/iStockPhoto

As hackers become more sophisticated, and entire offices have been sent to work-from-home due to the pandemic, the role of the enterprise’s chief information security officers (CISOs) is more important than ever. Unfortunately, a new Gartner survey, conducted among 129 heads of information risk functions revealed that only 12% of chief information security officers (CISOs) are considered “highly effective.”

The poll was conducted earlier this year, but the results were revealed at The Virtual Gartner Security & Risk Management Summit held this week (Sept. 14-17) taking place virtually in the Americas and EMEA.

SEE: Digital Transformation: A CXO’s guide (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Gartner’s assessment of CISO effectiveness is determined “by a CISO’s ability to execute against a set of outcomes” in the four categories, and percentage of respondents:

  1. Functional leadership
  2. Information security service delivery
  3. Scaled governance
  4. Enterprise responsiveness

Respondents’ scores for each category were combined to calculate the CISOs overall effectiveness score. Gartner defines “effective CISOs” as those who scored in the top one-third of the CISO effectiveness measure. For the first trait, functional leadership, 46% excelled, with subsequent percentages–20% (numbers 1 and 2), 13% (numbers 1, 2, 3), with the top 12% excellent at all four.

The standards are high, and few CISOs excelled in every category. The survey also debunked nine commonly accepted characteristics believed to differentiate effective CISOs. Only three characteristics now shown to be effective: More years in current role, more years in current industry, and works in a high-regulatory burden industry. Characteristics that are no longer meaningful: Work more hours, more years of IT experience, more interactions with IT stakeholders, more certifications, works in a larger organization, and has an optimal reporting structure.

The report also found that CISOs “tend to allocate more valuable resources and time toward “tactical” activities than they’d like.

SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)

“Today’s CISOs must demonstrate a higher level of effectiveness than ever before,” said Sam Olyaei, research director at Gartner, in a press release. “As the push to digital deepens, CISOs are responsible for supporting a rapidly evolving set of information risk decisions, while also facing greater oversight from regulators, executive teams and boards of directors. These challenges are further compounded by the pressure that COVID-19 has put on the information security function to be more agile and flexible.”

Results of the study showed that the top-performing CISOs demonstrate five key behaviors:

  1. Initiates discussions on evolving norms to stay ahead of threats
  2. Prioritizes keeping decision-makers aware of current and potential future risks to the enterprise
  3. Proactively engages in securing emerging technologies
  4. Has a formal and actionable succession plan
  5. Defines risk appetite through collaboration with senior business decision makers

Additionally, the survey found that the top-performing CISOs meet three times more with non-IT stakeholders than the bottom-performing CISOs.

The report said, “Two-thirds of these top performers meet at least once per month with business unit leaders, while 43% meet with the CEO, 45% meet with the head of marketing and 30% meet with the head of sales.”

The stereotype of an aggressive A-type personality as a company leader is not only dated, it’s untrue–at least in the case of the most successful CISOs. Highly effective CISOs, the report revealed, can better manage stress and fatigue in the company workplace (even if that workplace is virtual). Only 27% of the top performing CISOs feel overloaded with security alerts, compared with 62% of the lowest-rated performers.

“As the CISO role becomes increasingly demanding, the most effective security leaders are those who can manage the stressors that they face daily,” Olyaei said in the release. “Actions such as keeping a clear distinction between work and non-work, setting explicit expectations with stakeholders, and delegating or automating tasks are essential for enabling CISOs to function at a high level.”

Also see