The CISO as an Accountable Leader

CISOs need to stop solely relying on a risk-based narrative and start connecting Trust, Safety, Compliance and Security initiatives to revenue growth. Organizations can get the most value from their CISO by recognizing the role in delivering stakeholder value and giving them authority and agency to do so.

Executive Insights:

• C-level leaders should maintain focus on value and revenue for maximum accountability.
• If Trust is material to the customer journey, buying story, compliance story, market access story, or revenue story then an organization needs a CISO to lead Trust at the highest levels
• The number of CISOs reporting directly to CEOs is declining from 8% in 2022 to 5% in 2023.
• CISOs must be able to demonstrate value accountability through aligned product and revenue strategies and confidently convey the Trust Story aligned to the GTM motion.
• To unlock leadership potential, CISOs must break away from negative perceptions of the role by redefining Assurance practice outcomes in terms of Revenue and Trust Stakeholder Value.

Data protection leaders with a LinkedIn presence have for years been publicly voicing their dissatisfaction with a lack of credible agency, accountability, and recognition of the value the CISO role brings to the organization.

The 2023 Heidrick & Struggles CISO Survey reveals that the number of CISOs reporting directly to the CEO is falling (dropping from 8% in 2022 to 5% in 2023). While Board visibility has greatly increased, CISOs may be limited to a single time-boxed slide addressing entity risk and may not be positioned to discuss the Return on Trust (RoT) of Assurance programs in a valuation or revenue context.  

CISOs often have difficulty functionally aligning all Trust, Security, Safety, and Compliance motions under one organization due to org chart debt, competing priorities, or outmoded management thinking. To break from the negative perception of their role, CISOs must redefine Assurance practice outcomes in terms of Revenue and Value, in alignment with the way Accountable leaders are measured, and move away from exclusively telling risk, security, and compliance stories to the rest of the business.

Leadership Accountability Hierarchy

The leadership accountability hierarchy describes three leadership tiers:

• Liable leaders are accountable directly ownership stakeholders for global entity performance and valuation.
• Accountable leaders answer directly for their section of the value journey and own that piece of the business.
• Directable leaders are accountable for tactical execution with entity-level impact.

Many CISOs today may find themselves in the “Directable Leader” layer, reporting into an Accountable Leader such as the CFO, COO, or CIO. In such a relationship, investments in Trust and Safety are operational cost control exercises and often disconnected from the realities of market trust requirements and the demands of trust stakeholders. CISO have long sought to have a “seat at the table” where strategic decisions are made, to move from the Directable layer to the Accountable layer.

This “seat” is available only to those CISOs who can demonstrate value accountability for parts of the Customer, Revenue, and Valuation stories and display a deep understanding of GTM, deeply understands the contours of the market in which the organization plays and can clearly define the market value of Trust to stakeholder Value. The CISO who can shift from a service mindset to a product mindset, and from service stories to value stories, will own accountability for revenue tied to Trust, Safety, Compliance, and Security.

A strong "C"-level leader should always direct their focus to the end goal of value and revenue. Accountable leaders act strategically and report outcomes in revenue terms. This accountability is enabled by independence, agency, authority, and appropriate tactical resourcing.

For historical reasons, the CISO lacks this agency and authority, and may also lack visibility and influence in GTM motions. However, if a CISO (in addition to leading the Information Security function) influences product planning and implementation, speaks regularly with external stakeholders (such as customers, boards, prospects, and regulators), communicates the Trust Story alongside product and entity value stories, and does so in service of the revenue strategy, then that CISO is an Accountable Leader owning the revenue and value impact of the Trust Journey.  

The “C” in any Accountable leaders’ title relates directly to value accountability. If Trust is not a material part of the customer journey, the buying story, the compliance story, the market access story, the revenue story, or other value stories, then perhaps the organization does not need CISO but an IT Security Leader focused on technical security and value loss prevention. However, if Trust is material to value, only a CISO can definitively lead this area of the business and unite the various Trust programs under one cohesive strategy measured with the only metric that matters: stakeholder value. Liable leadership should not hesitate in allowing the CISO to own Trust at the highest levels, and should support a CISOs ascension to real accountability.