Security professionals want leaders who have already led their organization through a major cyber incident – regardless of how things turned out

Cybersecurity professionals are less likely to trust a boss who's never been through the mill of managing a major security incident.

Data from antivirus vendor Sophos suggests that CISOs have a one-in-four chance of losing their jobs after an attack. But new research from ISC2 shows that three-quarters of security professionals reckon leaders are more credible if they've already led their organization through a major cyber incident – regardless of how things turned out. Just 9% disagreed.

Overall, the survey revealed that the most trusted security leaders are those who create confidence through transparency, consistency, and an ability to align security priorities with business outcomes. Those who can keep calm and carry on, demonstrating decisive leadership under pressure, are far more likely to earn lasting credibility with their teams and across the enterprise.

Unfortunately, though, cybersecurity bosses don't generally seem to be managing this.

Latest Videos From

Only 34% of cybersecurity professionals said they were very confident in their current cybersecurity upper leadership, with 15% extremely confident. Three-in-ten said they had moderate confidence, 15% were only slightly confident, and 6% said they had no confidence in their cybersecurity leaders at all.

Security staff are particularly keen on leaders who can communicate risk to senior leadership and boards, with 95% of respondents reckoning this as very important.

Other big pluses included a strategic and long-term cybersecurity vision, along with the ability to effectively work with senior leadership and boards to secure budget, and being transparent about decisions and actions.

Decision-making under pressure, building and leading high-performing teams, and technical cybersecurity expertise were all very important to more than eight-in-ten – more so than actual technical cybersecurity expertise, at 75%.

"The most important trait in a cybersecurity leader is the ability to align security strategy with business goals while earning trust through clear judgment, communication, and accountability," noted one respondent.

Bosses wanting to earn their staff's respect, said ISC2, need to be transparent about risks, priorities, and challenges. "Teams and executives are more likely to trust leaders who provide realistic assessments rather than overly optimistic narratives," the researchers said.

Keeping calm and carrying on in high-pressure incidents or periods of change also boosts a security leader's reputation, while there's much greater trust when leaders manage to create an environment where teams feel supported, heard, and accountable.

Strong cybersecurity leaders invest time in understanding business objectives and collaborating across departments, helping position security as an enabler rather than a blocker.

"For leaders who now find themselves in an environment where cybersecurity risk impacts every part of the organization, it is the ones who communicate clearly, empower their teams and demonstrate calm, decisive leadership under pressure that are far more likely to earn lasting credibility with their teams and across the enterprise," the researchers said.

"Ultimately, the most successful cybersecurity leaders are not simply those who protect systems and data, but those who create trust in their leadership when it matters most."