Well, it’s happening! My first Forrester report was published this week. (Forrester clients can access here). The topic? Cyber security transformation of course! It’s what I have lived and breathed for the last 3.5 years. I have also engaged peer CISOs doing terrific work transforming their firms’ security function and capabilities – I’ve always had a passion to learn from their experience. What makes one leader a transformational CISO versus a traditional CISO? What is their secret sauce?
I found a couple of things when I wrote this doc:
- You are not alone. If the challenges highlighted in this report feel familiar to you, it’s because you are not the only one facing challenges. Writing this doc was pleasurable and cathartic: interviewing these brilliant CISOs and leaders whom I have incredible respect for, I found myself reflecting upon my own experiences and feeling a sense of relief and gratitude that I am not the only one who encountered the many challenges and experienced the highs and lows that go with a cyber security transformation.
- Cyber transformation is now A Thing: and at its heart is culture change. Unless you’re at one of the big banks, cyber transformation as a thing has really only emerged in the last 3-5 years and is truly taking off now. Some of the Big 4 consulting firms have re-shaped their service offerings around cyber transformation. There is now such a thing as Transformational CISOs (yep, people put it in their job applications and LinkedIn), job ads for Cyber Transformation Consultants and Programme Managers. This wasn’t always the case. There was no common definition on what makes a transformation versus a BAU security strategy – we agreed that rather than we define the difference, we focus on the fact that what makes a transformation unique is the cultural change that must go with it.
- Kicking off or leading a cyber transformation is not for the fainthearted. I could have written a book: and mercifully for all of us I didn’t. Instead, I condensed my findings into 6 keys to a successful transformation. I had to focus my work on very specific actions summarizing hard work, grey hair and relentless drive of many security leaders and practitioners.
- Diversity matters: I address the importance of building the A-team in the doc, and that’s definitely something that deserves a doc in itself. One thing I didn’t talk about enough was the fact that every single leader whom I interviewed had one thing in common – they all had built extraordinarily diverse team. A coincidence perhaps? Or further proof that diversity results in seriously brilliant outcomes?
Above all, my favourite part of this research, and one that has resonated with me very personally were the discussions we had on the importance of resilience, and other personal leadership qualities. As an example of one of those gems in the discussion, Dr. Maria Milosavljevic told us: “People will get tired of hearing about security. CISOs need to keep going anyway and keep doing what needs to be done. Resilience is setting your sights on what ‘good’ looks like and moving forward.”
This is not a job for the faint hearted. If you are undertaking a transformation or considering undertaking one, you’ll need courage, resilience, a strong belief in your end outcome and a strong desire to take people on the journey with you.