One of the most crucial lessons I’ve learned as a CISO is that no single approach works for every organization. Each company operates in its own context, with its own set of challenges, priorities, and risk profiles. A security plan that makes perfect sense for a global e-commerce company might be wholly inappropriate for a small non-profit or a heavy industrial manufacturer.
Tailoring Security to Fit Your Organization’s Culture
By Matt Hillary
Over the years as a Chief Information Security Officer (CISO), I’ve learned that thriving in this position isn’t just about technical know-how. While deep technical expertise is essential, it’s the ability to navigate the nuanced, human-centered aspects of leadership that truly distinguishes effective CISOs. In my experience, the best CISOs are those who can balance technical mastery with strategic vision, emotional intelligence, and the creativity to adapt to ever-changing business environments. Here’s a breakdown of what I’ve discovered about leading in the cybersecurity space, and why soft skills can be just as important as hard ones.
Security leadership requires an ability to prioritize, innovate, and think outside the box. For example, during my time at a sales-driven company, we found that addressing complex issues like governance, risk management, and cloud security weren’t the immediate priorities. Instead, we focused on ensuring that terminated employees no longer had access to internal systems. By identifying and solving the most pressing problems first, we were able to have an immediate impact.
Framing Security as a Business Imperative
To determine your own priorities, ask:
Navigating the C-Suite: Influence and Collaboration
A technique I’ve found helpful is using quantitative risk assessment, such as the Annual Loss Expectancy (ALE) metric, to demonstrate the financial impact of security risks. By showing, for example, that a particular risk could cost the company 0,000 annually, and that mitigating it with a 0,000 investment will yield a return of 0,000, you make a compelling case for the need for security spending. When security becomes part of the financial narrative—when it’s framed as a driver of business resilience, trust, and efficiency—executives are far more likely to embrace it as a strategic priority rather than just a cost.
Security is rarely one-size-fits-all, and being flexible enough to adjust your approach is often the difference between success and failure.
By thinking creatively and staying focused on what’s most relevant to the organization’s success, you can drive a security program that directly supports business outcomes, rather than just ticking off boxes on a security checklist.
Thinking Creatively About Security Challenges
Cybersecurity is a constantly evolving field, and as a CISO, you must commit to lifelong learning. Staying ahead of the latest threats and emerging technologies is a given, but it’s equally important to remain attuned to changes within your own organization—its goals, risk appetite, and business strategy. As the business landscape changes, so too should your security posture.
When I present an initiative after gathering feedback and support from the team, it feels less like my proposal and more like our collective vision. This sense of shared ownership significantly increases the likelihood of approval and smooth execution.
Take, for example, a friend of mine who’s a CISO at a manufacturing company dealing with legacy hardware. While my focus might be on cloud infrastructure in a SaaS company, his primary concern is often securing aging Windows 7 systems that control manufacturing machinery. Likewise, the strategies I employ to secure online systems won’t apply to securing embedded firmware in medical devices. As a CISO, your ability to understand your organization’s unique risks and needs—and adapt your security strategy to match—is a vital skill.
- What is most critical to the business right now?
- What could impede growth or disrupt operations?
In the end, being an effective CISO is about more than just knowing your firewalls from your endpoints. It’s about being a strategic thinker, a creative problem solver, and a collaborative leader who can influence key stakeholders and align security with the broader business vision. While technical skills are fundamental, it’s the combination of emotional intelligence, strategic vision, and adaptability that will truly define your success.
Lifelong Learning and Staying Ahead of the Curve
A big part of a CISO’s job is working effectively with other senior executives. Success isn’t just about technical prowess; it’s about building relationships and navigating the politics of the C-suite. Whether you’re collaborating with the CEO, CFO, CIO, or CLO, you must be able to work within a broader leadership context to align security goals with business objectives.
The art of being a CISO is about creatively applying your expertise to drive security initiatives that not only protect the organization but also support its goals and growth. By mastering these non-technical skills—communication, creativity, and collaboration—you can elevate your role beyond just managing risk, becoming a true leader in the business that drives security forward.
In addition to keeping an eye on the technical landscape, I also dedicate time to connecting with other security leaders. Whether through conferences, online communities, or peer groups, these interactions provide valuable insights and help me keep up with trends, best practices, and fresh approaches to solving complex security challenges.
In Summary: The Art and Science of Being a CISO
In my experience, one of the hardest, but most important, skills for a CISO is the ability to translate security concerns into business terms that executives can understand and support. Security can often be seen as a “cost center”—a necessary but expendable function. The challenge is to reframe it as an essential part of enabling business goals and reducing risk.
One of the most important lessons I’ve learned is to involve key stakeholders early and often. Don’t wait until you have a finalized proposal to present; get input and feedback from the relevant parties—especially the CTO, CIO, CLO, and CFO—at every stage. This collaborative approach helps you refine your security plans, ensures they are aligned with the company’s broader strategy, and reduces the likelihood of pushback when it’s time to present your final recommendations.
While technical expertise forms the foundation of the CISO role, much of the work comes down to creative problem-solving. Being a CISO is like being a puzzle solver—you need to look at your organization’s specific challenges, risks, and goals, and figure out how to put the pieces together in a way that addresses both current and future needs.
