It’s Time for CISOs to Take a Seat at the Table

Brian Thomas | August 14, 2019

It doesn’t matter what business you’re in — cybersecurity has become extremely important to both your organization’s reputation and its bottom line. According to reports, the average cost of a data breach is $3.86 million.

No wonder employees with great cybersecurity skill sets are in such high demand, with CISOs at the top of many companies’ wish lists. CISOs have become the chief protectors of their organizations thanks to their specialized knowledge of security operations, cyber risk and intelligence, and data loss prevention. This knowledge has made CISOs indispensable to their companies.

Yet there’s an opportunity for CISOs to do even more for their organizations — and their own careers. There’s an empty seat at the management table, and the CISO is the perfect person to fill that vacancy.

But before they sit down, they need to be able to connect and communicate with the other members of the C-suite and the Board of Directors. To do this, they’ll need to learn some new skills and step out of their comfort zones.

New business skills needed for CISOs

The role of the CISO already carries enormous responsibility, but the CISO’s job will become even more important as risks to businesses grow. And as those risks increase, the need for the CISO to expand their horizons beyond IT — and into the boardroom — will become more apparent. 

Gartner predicts that in 2019 the top cybersecurity trend will be cybersecurity manager’s ability to effectively present security matters to key business decision makers. Essentially, CISOs and those who work for them must be able to clearly and succinctly articulate how cybersecurity impacts their organizations. They need to be able to cut through the jargon and align their own objectives with those of their businesses.

For CISOs, this requires expansive thinking that goes beyond IT. They must be able to understand their company’s business goals and strategies so they can map their work so that it helps stakeholders meet their objectives. 

Conversely, CISOs must also be able to educate the C-suite on the importance of cybersecurity, and provide them with information about the organization’s security posture. This information should be communicated clearly and directly, and couched in matters that appeal to these key stakeholders. 

For example, an often overlooked opportunity exists to help the C-suite and board members understand the security risks that can arise from business decisions such as new partnerships and vendor relationships and frame security matters in the context of business outcomes and their impact on revenue-critical initiatives. In doing so, CISOs have a bold opportunity to build on their existing skills while moving up the ranks to drive strategy and position themselves as an indispensable asset and seat at the table.

Securing a place at the table

A useful point of reference for CISOs seeking to move beyond running a tactical security practice to a more strategic, business-oriented practice, comes from Stephen Katz, the first executive to hold the title “CISO” when he served at Citigroup in the mid-90s. A go-to name in the industry, Katz defines the responsibilities of the CISO here. But there are still a few key skills which a CISO should have in order to bridge the divide between the perception of the CISO as the “security guy,” to a strategic member of the C-suite who can support business functions.

There’s no magic bullet for success. Continuous learning is a lifelong journey. The key is to start now. Find a mentor, take a class, attend a conference, and look to the cyber community for help. 

In a coming post, I’ll discuss how the CISO and C-suite can work together to improve the organization’s security posture and take a shared responsibility for improving business outcomes.

Read this white paper to learn how today's CISOs are adapting to new challenges.The Evolution of the CISO White Paper


Suggested Posts

5 Ways to Transform Your Security Program

Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...


What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...


Lessons Learned From The Garmin Cyberattack

In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...


Subscribe to get security news and updates in your inbox.