A significant key to success for technology-security leaders appears to be the ability to combine business acumen with technology expertise. “It’s assumed that the information security leader has both the technical and tactical/operational skills to do the job,” states a report from consulting firm SpencerStuart. “Strategic and business acumen will distinguish the successful security leaders,” the report notes.
Similar to technology security (also known as IT security) but not precisely the same are data security, cybersecurity, and information security.
At the highest level, the leader in charge of technology security may be the Chief Information Security Officer (CISO). Some roles along the way to the top include security analyst, security engineer, security administrator, security architect, security specialist, and security consultant. Fifty additional titles are listed in this article.
Preferred Background: Education and Experience
The SpencerStuart report notes evolving opinions about the importance of strong technical expertise for tech-security leadership. “While most executives we interviewed agreed that it may not be necessary to be an engineer or to have spent one’s entire career in IT,” the report states, “a good understanding of IT networks and systems is important, particularly as an increasing percentage of most businesses relies on technology.” Verbiage from a job posting encapsulates this idea of combining technical, leadership, and business knowledge: “[The role] includes the technical integration aspects of security technologies and processes, but also the leadership responsibilities related to leading effective corporate initiatives.”
Cybersecurity consultant and global CISO Phil Ferraro identifies three types of tech-security leader: (1) Technically savvy leaders who rose through the ranks from the technical side of IT, but may not be adept at communicating how tech security affects business risk and impacts shareholder value; (2) excellent presenters who are good at getting buy-in but may not completely understand technology security’s effect on business; and (3) “Those who have a deep technical understanding and excel at executive program management. These are the rock stars,” Ferraro says, “They have it all.”
A review of job postings in the discipline indicates that many, but not all, roles require a bachelor’s degree; some ask for an MBA or other master’s degree. Certifications, such as CISSP (Certified Information Systems Security Professional) are also available and sometimes desirable to employers.
An array of hard skills, soft skills, and personal traits are keys to success in tech-security leadership. The field suffers from a skills gap, according to a 2020 report in Forbes. Citing House Research and Technology Chair Haley Stevens (D-MI), Forbes writer Ted Knutson cautions “many of the half-million cybersecurity job openings are going begging because college computer-science graduates often lack the needed skills and hands-on experience.” Knutson also pointed to Stevens’s observation that lack of women in the profession exacerbates the skills shortage.
The SpencerStuart report summarizes top traits for tech-security leaders: “An effective security leader will be a strategic thinker, knowledgeable about IT and physical security issues, as well as the business. He or she will have superior communications skills and be able to make decisions quickly based on the available information, whether in day-to-day operations or in crisis situations.” Additional leadership characteristics include the following:
Predominant Leadership Styles in the Technology-Security Field
Several researchers have considered leadership styles in the tech-security field. One academic research study by Debasis Bhattacharya found a significant correlation between transactional and transformational leadership styles and the level of concern towards information-security problems. Analysts Jeff Pollard and Josh Zelonis also support transformational leadership for these leaders, especially since the arrival of the COVID-19 pandemic, which the authors say, “changed the security landscape” with “employees working remotely off non-work-provided devices, data flowing haphazardly, and strategic plans disintegrating.”
Christophe Veltsos looked at the pros and cons of a charismatic tech-security leadership style, noting that charismatic leaders are good storytellers, have magnetic personalities, and “can clearly and eloquently articulate a vision.” On the negative side, however, a leader’s charisma can “undermine communications about cyber risks,” Veltsos asserts.
Given that no one leadership style dominates tech security, the multiple authors of the eBook, 90 Days: A CISO’s Journey to Impact, offer the practical advice that “leadership styles vary, so the best way to lead the security efforts in your organization will be the one that you are able to implement most effectively.”
These resources offer additional insight on leadership in technology security:
- The New CISO: From Technology to Business-Focused Leadership: 25 CISOs Share Expert Advice on How to Make it in the “C Suite”
- Redefining Security Leadership in a Riskier World