The following are the four essential ones:

1. They have tons of common sense

   Information security leaders that have a practical eye for what really works and what doesn’t from a procedural and technical perspective are the ones that succeed. Leaders that are strictly theoretical and work “by the book” (i.e. believing that firewalls and encryption equals the ultimate security) or solely on vendor recommendations (i.e. “this whiz-bang intrusion detection or patch management system is all you need”) are the ones that will ultimately fail.

   Takeaway: Successful information security leaders make informed decisions. They don’t believe everything they hear. They realize that realistic security policies, plans and organizational awareness of the threats and vulnerabilities involved with IT are really what makes information secure.

2. They possess the ability to sell

   Information security leaders that can sell the importance of security to their executives and employees are the ones that succeed. They possess a passion for what they believe. This is the key to persuasion – and the key to persuasion is motivation. They know that human actions are motivated by something – either the desire for gain or the fear of loss. This doesn’t mean they operate based on, but rather they educate themselves on, the risks involved in depending on IT for almost every aspect of business and they use their imagination to find positive ways to educate others. Leaders that operate on fear, uncertainty and doubt (referred to as FUD); force information security safeguards in the name of security without keeping the end goals in mind; and sell security based strictly on ROI and theoretical calculations of risk can’t last long.

   Takeaway: Successful information security leaders focus on selling (disguised as education) security to others in a way that’s in terms of the end user experience (convenience and usability) and in terms of the business (what it will buy and protect the business from long term).

3. They are in touch with technology

   Information security leaders that possess the ability to embrace technology, study it and understand where it does and does not fit in are the ones that will succeed. At the same time, these leaders have enough maturity to understand their limitations. They know when to delegate and to whom they should delegate overly technical issues. Leaders that ignore technology and view it as “the network administrator’s issue” or – at the other extreme – sink their heads so deeply into the highly-technical issues that they refuse to delegate and don’t focus on the more important business-level issues – will run out of gas quickly.

   Takeaway: Successful information security leaders realize that technology is not the solution to information security problems, but know enough about it to be able to embrace it to enforce policies and make informed decisions on information security controls and purchases. A basic understanding, general interest, and even curiosity in technology can certainly help improve the information security leader’s chances of success.

4. They think long-term

   Information security leaders keep their eyes on the horizon and are constantly creating innovative ways so that information security helps the business. This could come in the form of implementing new controls to make a system more useable while, at the same time, increasing the security of a system’s information. Or, it could come in the form of new business service offerings now that confidential information can be effectively secured. Leaders that won’t last are the ones that will lock down the information systems more and more without keeping the end user in mind. They also look out for short-term technical solutions such as overly-hyped encryption technologies or four-factor authentication systems that claim to solve problems that could otherwise be fixed with enhanced security policies and procedures or even lower-cost technologies.

   Takeaway: Successful information security leaders realize that the long view sharpens their short view. They innovate, not for specific short-term fixes, but rather for long-term business improvements. They don’t major in minors but rather focus their organization’s unique talents and offerings on information security solutions that embrace the business. They know that long-term, inspiring trust rather than relying on tight controls, is best for everyone.

The bottom line is that successful information security leaders focus on leading rather than putting out fires. Their nature is to be proactive rather than reactive, and they keep things practical by focusing their efforts (and budgets) on areas with the highest payoffs. Perhaps most importantly, successful information security leaders know they must continually focus on their ongoing education to keep their skills sharp and keep up with the latest trends, staying on top of this critical business role that’s not going away.

About the Author

Kevin Beaver is the founder and principal consultant of Atlanta-based information security services firm Principle Logic, LLC. He has over 16 years of experience in IT and specializes in information security assessments and incident response. Kevin is the author of Hacking For Dummies by Wiley Publishing and the free ebook The Definitive Guide to Email Management and Security by Realtimepublishers.com and co-author of the book The Practical Guide to HIPAA Privacy and Security Compliance by Auerbach Publications. Kevin can be reached at kbeaver@principlelogic.com.