Paper Number
ECIS2026-2839
Paper Type
CRP
Abstract
The Chief Information Security Officer role has emerged as critical for organisations confronting escalating cyber threats, yet systematic understanding of leadership effectiveness remains absent. Existing Information Systems leadership theories fail to capture the unique adversarial context, dual mandates, and invisible value proposition distinguishing security leadership. Through grounded theory investigation of twenty Australian CISOs, we develop the Security Leadership Contingency Model. The model demonstrates that effectiveness requires simultaneous maintenance of CISO-Organisation fit and CISO-Environment fit, two frequently conflicting alignment dimensions mediated through political capital. Security leaders navigate these competing demands through phase-contingent adaptations across three organisational contexts: Establishment, Maturation, and Strategic phases. These findings extend Information Systems leadership theory by demonstrating how dual-fit requirements create unique effectiveness dynamics absent from traditional frameworks. The model challenges static competency frameworks whilst providing evidence-based guidance for CISO selection, development, and performance evaluation.
Recommended Citation
Onibere, Mazino; Ahmad, Atif; and Maynard, Sean B., "The Security Leadership Contingency Model: How Chief Information Security Officers Adapt Across Organisational Phases" (2026). ECIS 2026 Proceedings. 20.
https://aisel.aisnet.org/ecis2026/security/security/20
The Security Leadership Contingency Model: How Chief Information Security Officers Adapt Across Organisational Phases
The Chief Information Security Officer role has emerged as critical for organisations confronting escalating cyber threats, yet systematic understanding of leadership effectiveness remains absent. Existing Information Systems leadership theories fail to capture the unique adversarial context, dual mandates, and invisible value proposition distinguishing security leadership. Through grounded theory investigation of twenty Australian CISOs, we develop the Security Leadership Contingency Model. The model demonstrates that effectiveness requires simultaneous maintenance of CISO-Organisation fit and CISO-Environment fit, two frequently conflicting alignment dimensions mediated through political capital. Security leaders navigate these competing demands through phase-contingent adaptations across three organisational contexts: Establishment, Maturation, and Strategic phases. These findings extend Information Systems leadership theory by demonstrating how dual-fit requirements create unique effectiveness dynamics absent from traditional frameworks. The model challenges static competency frameworks whilst providing evidence-based guidance for CISO selection, development, and performance evaluation.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.