What characteristics define an influential information security leader? I received a survey request a while back asking for the three top characteristics for defining an influential info security leader which I analyzed and offered my choices.
This survey was conducted by the SC Magazine which is an industry magazine for information technology security professionals in cooperation with the (ISC)2 organization which administers the Certified Information System Security Professional (CISSP) certification. The survey was basically made up of just one question asking participants to list the three main factors that make an information protection person an influential information security leader.
Before I could provide the three elements, I needed further clarification about what the word "influential" means. So, I did my research on the internet and came up with the following definitions:
- a power to affect persons or events
- causing something without any direct or apparent effort
- have and exert influence or effect
- a cognitive factor that tends to give direction or have an effect on another’s action
- the effect of one thing (or person) on another
- induce another into action by using one's charm
In summary, the word "influential" seems to refer to a person who has the power to get the desired results or outcome by guiding the actions of others. And, such power can stem from qualities such as charm, respect, and wisdom. Having defined the qualities of an influential person, here are my three selections for the survey; Trust, Credibility and Reporting Level.
Although I was allowed to only enter three characteristics, I had more reasons for why a person should be considered the most influential information security professional. Below, I have further described my selected items for defining the most influential information protection leader.
The word trust is the first characteristic that came to my mind when I was completing the survey, because without trust there can be no effective collaboration and sharing of information with other internal groups. Most information protection and audit professionals would agree that many times, we rely on other groups to help us with our risk assessment efforts and as such they can be very helpful in identifying the risks as well as the best possible mitigating solutions. Therefore, having a trustworthy relationship is very critical for collecting information, especially sensitive information which if misused, could adversely affect the person or group that provides the information.
I also selected credibility as another characteristic for defining the most influential information security professional because I think that an information security group’s combined skill set, quality of work, and ability to select and complete projects within the established budgets is also important for being influential.
Lastly, the reporting level within the organization also determines whether an information security leader is influential or not. If an information protection group and its leadership are buried in a bottom corner of the organizational chart with little or no oversight, budget, or resources which is also considered to be a dumping ground for tasks that no one else wants or are not considered to be critical part of the function, then an influential information security leader can not exist in that environment even if the person has all the other qualities for being an influential information security professional. In a bigger picture, the reporting level determines how capable the leader is allowed to be along with other elements such as having adequate resources in order to to accomplish the data protection goals.