One of the three principles of high-performance IT (HPIT) is to build trust on a foundation of security, privacy, and resilience. As a CIO, executing your strategy will be much easier if you unleash the talent of the person who plays an outsized role in building a trusted business: your chief information security officer (CISO).

Depending on your HPIT strategy, which recognizes that every organization is unique and that a one-size-fits-all approach to IT doesn’t exist, you will need different things from your CISO. However, you don’t always have the luxury of hiring, or even managing this CISO — in fact, only 33% of security leaders report into technology. Your best bet will be using your CISO’s strengths and complementing their weaknesses. In order to do that, you will need to have a clear understanding of the CISO persona.

What You Need To Know About CISOs In APAC

My Forrester colleague Chiara Bragato and I dissected the representation, career paths, and tenure of CISOs across the APAC region — in companies that ranked in the top 100 of their respective countries’ stock exchange indexes — in Australia, Singapore, the Philippines, India, and Malaysia. The average APAC CISO has held the job 1.6 times and typically reaches the position over 20 years after earning their bachelor’s degree. Despite their extensive experience, these seasoned professionals still tend to focus on the technical side: Even with decades of expertise, many struggle to secure a spot in the executive suite. For APAC CISOs, we found that:

  • STEM degrees reign supreme. Sixty-nine percent of CISOs with a university bachelor’s degree were trained in science, technology, engineering, or mathematics (STEM). This is significantly higher in India, where all CISOs have STEM undergraduate degrees. It’s significantly lower for Australian CISOs, however, where 10% earned an arts degree and 34% hold a business degree. Only 35% of APAC CISO master’s degrees are MBAs, with the majority focusing on science and tech.
  • The ‘C’ in CISO is “chief” in title only. In APAC, only 16% of companies award their CISO with additional organizational titles such as vice president or director, whereas 55% of those we examined in Fortune 500 CISO career paths hold such recognition. In APAC, the CISO is often given the title without organizational seniority or a seat at the executive table. Not only do execs not always want a techie at their table, but they want a leader, not a practitioner. A deeper dive into CISOs’ certifications showed an enthusiastic acquisition of certs more suited to practitioners than senior execs.
  • APAC women CISOs face a tempered glass ceiling. A lack of gender representation in cybersecurity is not a new challenge. It’s, however, one that needs to be urgently addressed across this region, where women accounted for only 9% of CISOs. The gap widens even more in some countries. For example, only one of 30 CISOs in Malaysia and only one of 20 in India are women. Not only is it difficult for women to attain CISO roles, it’s difficult for them to stay in one. The average APAC male CISO has been in their role 34% longer than their female counterparts.

When hiring a CISO, the skills you prioritize should align with your HPIT strategy. Each of the four styles of HPIT — enabling, cocreating, amplifying, and transforming — consists of a unique mix of technology, practices, and skills, optimally balanced to drive results for your business. In a transforming mode, you will need to find CISOs who are true business partners, experiential, and who say “yes, and … ” instead of “we can’t.” On the other hand, if you’re in enabling mode, a less senior, tech-focused CISO might already possess the necessary skills. However, in cocreating mode, you may need to enhance their expertise with additional DevSecOps capabilities.

Whatever you do, you can’t bypass the human task of adapting your hiring and leadership skills to the key guardian of trust in your organization. If you want to learn more about this topic, catch me at Forrester’s Technology & Innovation Summit APAC on October 29 in Sydney (and digitally).