Well, it’s happening! My first Forrester report was published this week. (Forrester clients can access here.) The topic? Cybersecurity transformation, of course! It’s what I have lived and breathed for the last 3.5 years. I have also engaged peer CISOs doing terrific work transforming their firms’ security function and capabilities — I’ve always had a passion to learn from their experience. What makes one leader a transformational CISO versus a traditional CISO? What is their secret sauce?

I found a couple of things when I wrote this doc:

  • You are not alone. If the challenges highlighted in this report feel familiar to you, it’s because you are not the only one facing challenges. Writing this doc was pleasurable and cathartic: While interviewing these brilliant CISOs and leaders who I have incredible respect for, I found myself reflecting upon my own experiences and feeling a sense of relief and gratitude that I am not the only one who encountered the many challenges and experienced the highs and lows that go with a cybersecurity transformation.
  • Cyber transformation is now A Thing — and at its heart is culture change. Unless you’re at one of the big banks, cyber transformation as a thing has really only emerged in the last 3–5 years and is truly taking off now. Some of the Big Four consulting firms have reshaped their service offerings around cyber transformation. There is now such a thing as transformational CISOs (yep, people put it in their job applications and on LinkedIn), job ads for cyber transformation consultants, and program managers. This wasn’t always the case. There was no common definition on what makes a transformation versus a BAU security strategy — we agreed that, rather than define the difference, we’d focus on the fact that what makes a transformation unique is the cultural change that must go with it.
  • Kicking off or leading a cyber transformation is not for the faint-hearted. I could have written a book — and mercifully for all of us — I didn’t. Instead, I condensed my findings into six keys to a successful transformation. I had to focus my work on very specific actions summarizing hard work, gray hair, and relentless drive from many security leaders and practitioners.
  • Diversity matters. I address the importance of building the A-team in the doc, and that’s definitely something that deserves a doc in itself. One thing I didn’t talk about enough was the fact that every single leader who I interviewed had one thing in common: They all had built extraordinarily diverse teams. A coincidence, perhaps? Or further proof that diversity results in seriously brilliant outcomes?

Above all, my favorite part of this research, and one that has resonated with me very personally, were the discussions we had on the importance of resilience and other personal leadership qualities. As an example of one of those gems in the discussion, Dr. Maria Milosavljevic told us: “People will get tired of hearing about security. CISOs need to keep going anyway and keep doing what needs to be done. Resilience is setting your sights on what ‘good’ looks like and moving forward.”

This is not a job for the faint-hearted. If you are undertaking a transformation or considering undertaking one, you’ll need courage, resilience, a strong belief in your end outcome, and a strong desire to take people on the journey with you.