The role of chief information security officer (CISO) is a high-wire act balancing long-term strategic planning and immediate crisis management. It demands a unique blend of technical expertise and leadership acumen.
Being a CISO can offer significant rewards beyond the inherent challenges. The opportunity to shape an organization’s security, build strong teams and directly impact the resilience of a business can be incredibly fulfilling.
The strategic influence a CISO wields, coupled with the satisfaction of mitigating significant risks and protecting valuable assets, provides a deep sense of purpose and accomplishment. Yet, too often, the narrative of the CISO is defined by the unpredictable events they must navigate, rather than the legacy they aspire to leave behind. This needs to change.
Deloitte’s recent report, The Last 90 Days of a CISO, paints a vivid picture of the current pressures they’re up against. Interviewing 25 CISOs across various industries, the report reveals a role characterized by a sense of isolation and a pervasive fear of the next breach.
Many CISOs admitted they wouldn’t take the role again, highlighting the immense strain and precariousness of the position. The margin for error, as the report emphasizes, is razor thin.
Traits of a Successful CISO
This anxiety is by no means baseless; recent data reveals that just over four in 10 UK businesses (43%) reported experiencing a cybersecurity breach or attack in the last 12 months – approximately 612,000 UK businesses.
While this represents a decrease from 2024, the prevalence remains alarmingly high, particularly for medium and large businesses (67% and 74%, respectively).
However, amid the challenges, the report suggests that the most effective CISOs don’t merely react; they actively shape their destinies and focus on what can be controlled. They define their success, build their legacies, and ultimately, leave their organizations stronger and more resilient than before.
This isn’t about ignoring the unpredictability of the role. Elements of cybersecurity are, by their very nature, reactive, and it’s fair to assume that incidents will happen. But effective leadership lies in building the resilience to withstand these inevitable storms, and in proactively shaping the environment in which those storms are weathered.
This control begins with clarity. The report highlights the critical need for CISOs to clearly define their roles and expectations, both internally and with the board. Without a clear mandate, the CISO is left vulnerable to conflicting demands and shifting priorities.
Several CISOs described spending their first year “defining the job as much as doing it,” carefully navigating internal politics and building influence. Others noted the importance of tailoring their messaging to different audiences, offering reassurance and clarity to various stakeholders.
Building trust with stakeholders, both within and outside the organization, is paramount, and this trust forms the bedrock of a strong security position.
Leverage Collaboration During a Crisis
Many CISOs interviewed for Deloitte’s report described feeling pulled in multiple directions, juggling incidents, team management, board engagement and strategic planning simultaneously. Several admitted the only way to protect time for strategic thinking was to deliberately block it out in their calendars.
One CISO even stated that it took a personal health crisis to realize the necessity of delegating more effectively. Effective CISOs empower their teams to act independently, fostering a sense of shared responsibility. They cultivate strong relationships with peers and mentors, creating a support network that helps them navigate the inevitable challenges.
One CISO we spoke to, facing a devastating ransomware attack, found themselves not only battling the technical complexities of the breach but also the immense emotional strain. The long hours, the constant pressure and the weight of responsibility were immense.
However, this CISO’s response was defined by collaboration, not isolation. They had proactively cultivated strong relationships with their team, fostering a culture of open communication and shared responsibility.
When the crisis hit, this groundwork proved invaluable. They leaned heavily on their deputy, who had been empowered to make key decisions independently, freeing the CISO to focus on strategic communication with the board and stakeholders.
Regular check-ins with their peer network provided crucial support and fresh perspectives, helping them navigate the complex landscape within the organization.
The CISO also prioritized their own well-being, relying on their support system, both professional and personal, to maintain perspective and prevent burnout. This experience underscored the critical importance of building strong, trusting relationships before a crisis hits, transforming a potentially overwhelming situation into a collaborative effort, that ultimately strengthened the organization’s resilience and the CISO’s leadership.
Prioritize Self Care
Finally, and perhaps most importantly, effective CISOs understand the human element of the role. The emotional toll is significant, and the report emphasizes the need for self-care and a healthy work-life balance by taking regular breaks and scheduled time off to manage stress and poor mental health.
The CISO’s role will never be easy. It’s a demanding, high-pressure position that requires a unique blend of skills and resilience. But by focusing on the things they can control such as their narrative, their relationships, their teams and their own well-being, CISOs can not only survive but thrive, leaving behind a legacy of strength and security.
