Most cybersecurity professionals have higher confidence in CISOs if they have experienced a major cyber-attack or cybersecurity incident, an industry poll has revealed.
Published by cybersecurity certification body ISC2, the research asked 796 people working in cybersecurity for their views about their cybersecurity leadership.
Over three quarters of those agreed that a cybersecurity leader’s credibility is enhanced if they have already been in charge during a real, high-profile security incident.
Overall, 35% said they “strongly agree” and a further 41% said they “somewhat agree.” Under one in ten said they didn’t agree.
The outcome or potential blame around the previous cyber incident does not seem to play a role in the trust in the cybersecurity leader, only that the experience they had during the incident mattered.
“Leading through a major cybersecurity incident can build credibility because it gives leaders practical experience, perspective and the ability to stay composed under pressure,” Scott Beale, CEO of ISC2 told Infosecurity.
“These findings suggest cybersecurity professionals value leaders who can apply those lessons to make better decisions, communicate with clarity and strengthen resilience across the organization,” he added.
What Good Cybersecurity Leadership Looks Like
When asked whether technical hands-on experience or strategic and executive leadership experience were more valuable in a cybersecurity leader, the majority of respondents (71%) said that it was important for them to have both.
However, of those who preferred one over the other, 18% said that cybersecurity leaders should have strong strategic and executive leadership experience.
Read more: Five Critical Skills for the Modern Day CISO
Many commented that strong leadership traits such as the ability to drive teams through high-stress situations, business acumen and the ability to articulate complex ideas and technologies in simple business-oriented terms were essential for the role.
Just 11% said extensive hands-on technical or incident response was the most important attribute.
According to ISC2, four practices were particularly important to respondents:
- Communicating With Clarity and Honesty: Be transparent about risks, priorities and challenges. Teams and executives are more likely to trust leaders who provide realistic assessments rather than overly optimistic narratives
- Leading With Consistency During Uncertainty: In high-pressure incidents or periods of change, calm and consistent decision-making reinforces confidence and demonstrates leadership maturity
- Building Relationships Beyond the Security Function: Strong cybersecurity leaders invest time in understanding business objectives and collaborating across departments, helping position security as an enabler rather than a blocker
- Empowering and Developing Teams: Trust grows when leaders create environments where teams feel supported, heard and accountable. Investing in professional growth and recognizing contributions strengthens both morale and organizational resilience
“Ultimately, the most successful cybersecurity leaders are not simply those who protect systems and data, but those who create trust in their leadership when it matters most,” the report concluded.
The ISC2 London Chapter will be part of Community@Infosec during Infosecurity Europe 2026. You will also be able to find ISC2 at Infosecurity Europe Booth #F159.
