4 Tips for Navigating the Executive Role of the Modern CISO
Since the inception of the chief information security officer (CISO) role, the security professionals filling this seat have had to walk a veritable tightrope between the IT department, other C-suite executives and the board. In charge of handling real-time threats and mitigating cyberattacks, CISOs often find themselves between a rock and a hard place, trying to communicate and implement security initiatives that require buy-in from the rest of the company. With one foot in security and the other in business operations, it’s essential that CISOs can communicate security gaps and ultimately gain approval for their initiatives to keep the enterprise safe. Here are three tips for navigating the increasingly executive role of the modern CISO.
Start speaking the language of the board
In order to effectively bridge communication gaps, CISOs need to speak in terms that the board and other C-suite executives will understand. This requires addressing how cybersecurity directly impacts business operations, customer relationships, the company’s reputation and ultimately the corporation’s bottom line. Cyberattacks are increasingly common, and it’s truly become a matter of “when” instead of “if” a business will be impacted. CISOs should use real-world examples to demonstrate how cyber incidents have resulted in shareholder value declines, hits to corporate reputations and even executive-level terminations. In addition, cybersecurity initiatives should be translated into business objectives that demonstrate a return on investment through an improved security posture that protects the company’s bottom line. For example, providing metrics that show how phishing penetration tests and awareness events ultimately increase efficiency and save money.
Lean into your metrics
When competing for sometimes scant resources, CISOs need to quantify security risks. Every claim should be backed up with data that demonstrates the company’s security posture and where gaps could lead to a costly attack. The goal is to build the board’s confidence that the right decisions are being made, and money is not being squandered. Metrics speak for themselves, showing how the needle of risk is moving over time and demonstrating how you’re protecting the value of the company.
Utilize a larger network of influence
In modern enterprises, CISOs can no longer afford to exist in IT silos. Interactions with other C-suite executives are crucial for integrating cybersecurity initiatives throughout the business. If top management is not engaged in cyber hygiene, their teams will not be invested either. It’s absolutely crucial to enterprise security that every single person in a corporation, from the top down, is invested in cybersecurity. Some corporations are even investing in a new role, the Business Information Security Officer (BISO), to essentially act as an ambassador between the CISO and other business units. BISOs are brought on to help raise the profile of cybersecurity across the organization and learn the needs of each department to offer tailored cybersecurity initiatives and education. While not essential, they can help deliver on a CISO’s ultimate vision.
Willingly collaborate outside the enterprise
Just as building relationships inside the corporation is imperative for CISOs, so is collaborating with vendors and partners outside the company. In today’s increasingly digital world, organizations are only as safe as the partners they are connected with. Assess the security of the company’s most critical vendors, be clear about your expectations for cybersecurity and make sure that there are open lines of communication so that you know those standards are being met.
Today’s CISOs wear multiple hats, and their jobs are increasingly difficult. They must speak the language of the C-suite while still maintaining their close relationships with IT. They need to navigate strategic board discussions, while still keeping the tactical security initiatives of the company at the forefront. However, if they embrace the challenge, focusing on how security initiatives equal a return on investment, lean on their metrics, and build relationships both in and out of the office, they can create security initiatives that truly move the needle of risk.
Ashley Rose is the CEO and cofounder of Living Security, a pioneer in human risk management and leader in security awareness training.