Information security leaders - the CSOs, CISOs, and IT Directors and Managers - play a critical role in today's businesses. From safeguarding intellectual property, to protecting sensitive customer information, to managing internal IT controls in support of rampant industry and government regulations - information security leaders have a lot on their plates.
One thing I have discovered over the years, both as an employee and as a consultant, is that some information security leaders are highly successful in leading their cause while many are not. I suspect you have noticed this as well. With all things being equal, such as executive support for security initiatives, employee awareness and so on, there are specific personality traits and leadership skills that are essential for success. Here are the most important:
1. Tons of common sense
Information security leaders who have a practical eye for what really works and what does not from a procedural and technical perspective are the ones who succeed. Leaders who are strictly theoretical and work by the book believing that firewalls, encryption and other fancy vendor-pitched solutions are all that is needed are ultimately the ones to fail.
Successful information security leaders make informed decisions. They do not believe everything they hear. They realize that reasonable and practical security documentation, technical controls and organization-wide awareness of the risks involved with IT are really what make up information risk management.
2. Ability to sell
Information security leaders who can sell the importance of security to their executives and employees are the ones who succeed. They possess a passion for what they believe and are able to motivate others through mild persuasion. They know that human actions are motivated by two things: 1) the desire for gain, or 2) the fear of loss. This does not mean they operate based on fear, but rather they educate themselves on the risks involved. Leaders who operate on fear, uncertainty and doubt force safeguards in the name of information security without keeping the end-goals in mind. They sell security based strictly on ROI and theoretical calculations of risk which hardly works in the real world.
Successful information security leaders focus on selling security to others in terms of both the end-user experience (convenience and usability) and the business overall (what it will buy and protect the business from long-term).
3. In touch with technology
Information security leaders who possess the ability to embrace technology, study it, and understand where it does and does not fit in are the ones who succeed. At the same time, these leaders have enough maturity to understand their limitations. They know when to delegate and to whom they should delegate technical issues. Leaders who ignore technology and view it as "the network administrator's deal" or - at the other extreme - sink their heads so deeply into the technical world that they refuse to let go and instead focus on the more important business-level issues, will run out of fuel quickly.
Successful information security leaders realize that technology is not the solution to information security problems; however, they do know enough about technology to be able to embrace it to enforce policies and make informed decisions on security controls and purchases.
4. Tendency to think long-term
Information security leaders who keep their eyes on the horizon and are constantly creating innovative ways that information security can help the business are the ones who succeed. This can come in the form of implementing new controls to make a system more useable while, at the same time, increasing their security. Or, it could come in the form of new service offerings facilitated by enhanced security that help create a competitive advantage. These leaders also avoid short-term technical solutions that claim to solve problems that could otherwise be fixed with enhanced security processes using technical controls they already have. Leaders who do not last are the ones who either demand overly strict controls or no controls at all without keeping the end-user and the business in mind.