One of the most important assets for any CISO, Kark said, is to behave as a "kingmaker," someone who helps other people improve their own skills by acting as a mentor, rather than as a draconian ruler who merely gives commands and expects them to be followed. "CISOs need to help other people succeed and take over different responsibilities. This should be part of their overall security strategy," he said.
A related talent is not playing the blame game. "CISOs also have to be willing to take on a lot of the blame when things go wrong, even if it was someone else's fault. You don't want to take the blame for everything, but if you can stand up for someone else's mistake and use that to work on issues that improve the overall position of the organization, that's a great thing to do."
Value of deep technical skills is questioned
One aspect that the Forrester report did not cite as critical to a CISO's success was having a high level of technical skills. "Some people said yes, and others said no. This is an old debate," Kark said. "I think the key is that you absolutely need to have the ability to comprehend technical data, but you don't necessarily need the hands-on skills. Many successful CISOs don't focus on operational issues like managing firewalls, but they do need to be aligned with defining security policies and crafting the risk posture of their organization."
In fact, many CISOs who do have technical skills contend that the knowledge often leads to them getting tied down in too many operational decisions and projects, he said.
Regardless of a CISO's technical abilities, Kark said that it will become increasingly important for security leaders to move away from a bottom-up approach to security, where the focus is what tools to use, to a top-down approach driven by risk management and governance concepts. "These executives need to move from operational expertise into more of a role of a strategic thinker, from a policeman to a trusted adviser," he said. "They need to see themselves more as a consultant, as opposed to an auditor, and transition from a specialist in IT security to a generalist in overall business risk."