Cybersecurity professionals place significant value on CISOs who have led organizations through major security incidents, according to new research from ISC2. The survey of 796 industry practitioners found that 76% believe a security leader's credibility increases if they have managed a high-profile cyber attack, with 35% strongly agreeing and 41% somewhat agreeing with this assessment. Notably, the outcome of the previous incident appears less important than the experience itself.

The research highlights a shift in how the industry evaluates security leadership qualifications. While 71% of respondents said both technical and strategic skills are essential, those who expressed a preference leaned toward strategic and executive leadership experience (18%) over hands-on technical skills (11%). This suggests the CISO role has evolved beyond purely technical expertise to encompass broader business leadership capabilities.

According to ISC2 CEO Scott Beale, managing major incidents provides leaders with practical experience, perspective, and the ability to remain composed under pressure. These qualities enable better decision-making and clearer communication during critical situations. The survey identified four key leadership practices: transparent communication about risks and challenges, consistent decision-making during high-pressure situations, building relationships across business units, and creating supportive environments that empower security teams.

The findings reflect growing recognition that CISOs must balance technical knowledge with business acumen. Respondents emphasized the importance of articulating complex security concepts in business terms and positioning security as an organizational enabler rather than an obstacle. Strong leadership during stressful situations and the ability to drive teams through incidents emerged as critical attributes.

Organizations hiring or evaluating CISOs should consider candidates' incident response experience alongside traditional qualifications. Security leaders should focus on developing cross-functional relationships, maintaining transparent communication with executives and teams, and investing in team development. The research suggests that trust in security leadership grows not just from preventing incidents, but from demonstrating competence and composure when incidents occur.

Source: https://www.infosecurity-magazine.com/news/infosecurity-europe-isc2/