CISO Should Stand For Chief Influence Security Officer

More companies are elevating security executives to true C-level status. Last year, about 65% of the largest enterprises in the U.S. had a Chief Information Security Officer (CISO) on their payroll, according to ISACA (…), and more organizations are considering moving their CISO out from the shadow of the CIO. It’s a sign of the important and growing role of security in an era of digital business and constant threats.
Chief Influence Security Officer, chief information security officer

However, many are still treating their CISO like the brand-new coffee table from IKEA: Sure, it serves a purpose, but it can be more about appearances. Joining the C-suite gives security officers a seat at the table and is a good first step, but it’s not enough; their voices need to be heard and their plans need to be implemented. While the title stands for chief information security officer, it might make sense to reorganize the acronym to be chief security influence officer. The highest priorities of this job are to influence the rest of the executive team — and the board — about proper security and to make sure that safety posture works hand in glove with overarching business imperatives and strategies. Leave the technical day-to-day operations to the security engineers and analysts on staff while you make sure the C-suite is aware of the need for proper security measures and how to achieve them.

 

Cybersecurity Challenges And Solutions

Many executives don’t really know what a cybersecurity threat fully entails, assume that the protection they have is good enough and shift the full responsibility to their IT organizations. Ignorance may be bliss, but this type of thinking creates headaches and leaves an organization at risk.

Another problem is that CISOs may not tailor their security strategies to align with strategic business concerns. Sure, the team and its leader are there to protect the organization, but being safe should not come at the expense of turning away customers (e.g., through poor user interfaces and onerous information access methods). It’s possible to be secure, efficient and profitable all at the same time.

A CISO can exert influence and address these problems with the following measures:

Every company is different, and that applies to cybersecurity needs, too. The industry can determine the threats that are most likely to occur. If you’re in production, you might deal with ransomware; if you’re in retail, you might be at risk for card skimming. It’s important to determine what those risks are and what the security goals are for your specific company.

If you’re funneling too much budget into endpoint protection when you’d be better off diverting funds into file security, you’re going to have inefficient security measures. Obviously, everyone is focused on profit, but a Fortune 500 company may care more about stock prices and shareholders, and a small to midsize business may care more about customer satisfaction and retention. It’s important to understand both the security and business goals in order to create the perfect strategy.

 

Angle For CEO (And Board) Access

It’s great to have a seat at the executive table, but having the right seat can make all the difference. According to a 2017 Ponemon study, only 4% of CISOs report directly to their CEOs. This might not mean they’re relegated to the boiler room, but it does exemplify that there’s a suboptimal chain of command. There is no substitute for having the ear of the CEO when it comes to balancing security concerns with business objectives and ensuring security becomes a strategic priority for the organization.

Successful baseball managers have an open line of communication with their general managers in order to mesh strategy with finance, and cybersecurity should be no different.

 

You Need A Communications Plan, Too

The CISO needs to break things down for the executive team using the language of business. Your CEO doesn’t want to hear that the company has a 43% chance of being breached and having the personal data of hundreds of thousands of customers compromised. His response is going to be, “So what?” Things need to be quantified.

Instead, you want to explain that because 600,000 customers are at risk, the company could potentially lose X million dollars due to noncompliance fines and lawsuits. If your company is publicly traded, the CISO also must convey the potential effects of a negative brand reputation on stock prices. In the cases of Target and Equifax, their stocks took an initial beating, but they were able to recover. However, as a result of the recent Facebook privacy debacle, the hashtag #DeleteFacebook was born, and the stock price has suffered as a result.

Once you have your CEO’s attention with the jab of potential loss and damages, knock them out with the money they could save by implementing measures to reduce the company’s cyber risk.

Being a CISO is tricky in a world where cyber threats are increasing exponentially and businesses are struggling to keep up. Especially when many executives may be unaware of technology, vulnerabilities and potential consequences, it’s important to stay level-headed and show them that bolstering cybersecurity limits financial risk and helps the company maximize profits. The CISO must be the influential voice of reason, using a combined knowledge of cybersecurity and business acumen to set the tone for future security practices. It’s no longer enough to focus solely on the technical aspects of security; to be a truly effective CISO, you must understand the big picture and have the ability to successfully convey the financial benefits of cybersecurity to those writing the checks.

Chief Influence Security Officer, chief information security officer

Related Training

 

Stern, Amos (2018). CISO Should Stand For Chief Influence Security Officer. Recovered on 28 September 2018 from https://www.forbes.com/sites/forbestechcouncil/2018/09/24/ciso-should-stand-for-chief-influence-security-officer/#189dd4dc198f