It’s been a slow but sure evolution for the modern-day CISO. When the position made its debut in the corporate world, the CISO was a firefighter, constantly battling security issues as they arose. CISOs were usually hired only after a security threat affected a given company. They weren’t given access or authority, so it was hard to break out of the firefighter role.
The next step for CISOs was to become more strategic about their actions. (This is where a great opportunity lies for many companies today.) Instead of simply reacting to problems, CISOs at forward-thinking companies started predicting where future problems might arise and crafted their plans accordingly.
To become the value-driven executive that the board wants to work with, CISOs must take one more leap: they have to show how their actions both prevent problems and contribute to the company’s bottom line. It’s no easy task, but the process isn’t all that complicated. Make your performance metrics relevant for members of the Board, and you'll win their trust.
Why is this important right now?
This Security Week article discusses how CISOs are still being shut out of the board room and often aren’t given decision making power. The circumstances have limited CISOs’ ability to become an integral part of the c-suite.
As one chief financial officer says, “It feels like we’re constantly spending more on security, but I have no idea whether that’s enough or even what it does.”
I spoke with several executives to discover what it takes for CISOs to prove their worth. Their suggestions are listed below.
The best CISOs:
-
Are pragmatic in their efforts, realizing that their company needs to grow, but can’t do so too quickly or it will risk over-exposure.
-
Work with and influence other executives so security is recognized as a people, process & tech initiative, not just a tech issue.
-
Get information security into the early planning phase of an initiative (as opposed to something that is tacked on in the later stages).
-
Shift the conversation from focusing on "what tools will make us more secure?" to "how secure are we now?"
-
Use context, stories, lessons, and answers to address issues.
How do they do it?
-
They present solutions rather than problems.
-
They secure and organize their company’s data.
-
They answer these questions thoroughly.
-
What services are being provided?
-
How much do these services cost?
-
What value do these services provide?
-
They explain what conditions existed when a peer was breached and show what they're doing to prevent it from happening to their company.
-
They show where vulnerabilities exist and how strategy & investments are impacting performance over time.
-
They encourage investments in personnel and technology resources via easy-to-understand data, shared with the proper context.
-
They use security benchmarking to show how their company stacks up to others in the industry.
The Board’s Role
For CISOs and their companies to thrive, it takes involvement from the board as well. Boards must start taking responsibility for the cybersecurity of their companies. If not, there will likely be financial repercussions for board members that fail to place this issue as a critical priority in retaining and growing the value of a company (plus a knock to their reputations).
Boards also need to have high-level discussions around security and risk and treat them the same way as discussions about revenue performance, growth, investment, or other topics of interest.
The Good News
Things are changing for the better. 58 percent of board members admit that they should be doing more about security. If CISOs make it easy for higher-ups to understand the value of your plan, they will have the Board eager to approve it. They will earn a spot as an equal in the c-suite and finally get the support they deserve.
