The rapidly expanding cybersecurity threat landscape has driven the chief information security officer (CISO) out of the basement and into the boardroom in many enterprises. While these tech professionals were traditionally seen as security enforcers, they have now taken a seat at the table as strategists helping the enterprise avoid cybercrime.
“The CISO’s role has changed from a pure technologist to understanding what the business is trying to do, and to make sure security is part of the business strategy, not an afterthought,” said Steve Martino, CISO and vice president of information security at Cisco. A 2016 Cisco study found that business leaders today believe that cybersecurity is a prime growth enabler, reinforcing the need for those in charge of security to increasingly think in business terms.
Cyber threats have changed dramatically in the past decade in terms of sophistication and volume, Martino said. That change has been driven by two factors: Organizations becoming more connected through the Internet of Things (IoT), and cybercriminals shifting from making political statements to cybercrime as a business.
This changing landscape and added responsibility means CISOs need to develop a new set of soft skills, including learning how to talk with a line of business leaders about risk, privacy, user experience, and balancing the tradeoff of security with features.
SEE: Risk Management: Enabling the Business (Tech Pro Research)
“Five to ten years ago, the C-suite really didn’t have a relationship or a dialogue with the information security team or leader,” Martino said. “Today, we do. In order to be effective, you have to have this business context, and be able to have a business dialogue with many different functional leaders.”
That means understanding what the different parts of the business–finance, sales, marketing, etc.–prioritize, and be able to translate risk issues to their language.
“CISOs need to have that business knowledge and multi-lingual capability to be able to translate what you’re trying to get across in terms of risk to the business owner,” Martino said. “Both are required to be effective at the speed of business, and earn the respect and trust required.”
Developing new skills
Training is helpful for CISOs who have been called to report to the C-suite for the first time, said Gary Hayslip, an ISACA expert on cybersecurity, the former CISO for the City of San Diego, and the current CISO at Webroot. “It’s a different view of risk, and on the use of resources and costs,” he said. “You have to start really getting into the strategy of where the organization is going.”
Hayslip recommends finding another C-suite member who has reported to the board before, and partnering with them to learn how the board meetings typically proceed, and what the individual board members are like, what they look for as a group, and how they process information.
“If you’re a CISO dealing with the C-suite and it’s relatively new for you, don’t be scared–ask a mentor so you can start learning about what they look for, so you make sure when you do report to a board, the information you’re presenting is relevant to the discussion,” Hayslip said.
It’s key to remember that the CISO does not own the risk–the business does, said Forrester analyst Jeff Pollard. “CISOs are now transferring ownership of risks back to business units,” Pollard said. “Instead of the CISO possessing the power to stop the business in its tracks, they are advising and coaching business unit leaders on the risks and security ramifications of decisions but the business owns the risk and makes the decisions.”
Rather than becoming a barrier, this new model allows CISOs to work with, instead of against their colleagues, Pollard said.
SEE: 5 reasons your company can’t hire a cybersecurity professional, and what you can do to fix it (TechRepublic)
However, the CISO does need to be flexible, and understand that the security system in place must be resilient. “You’re going to take breaches,” Hayslip said. “There is no totally secure network. If you factor that in, you can start looking at where your risks are, how your teams are trained, and what policies are in place.”
If the CISO is overwhelmed with projects, it can be helpful to determine which departments you are serving, who the stakeholders are, and what is critical to them, Hayslip said. That will help you create a more narrow list of issues to tackle. It’s often wise to start with cyber hygiene, he added: If you have basic security policies and patch management, antivirus, and firewalls in place, updated, and managed, it builds a strong foundation for your organization’s cyber health.
CISOs also have an opportunity to redefine their role as a business strategist during the digital transformation, Pollard said. To prove their value, they should spend time mapping the firm’s technology touchpoints, foster security champions across the company, and get involved with customer-facing activities like product design and development, he added.
“We’re in this transition as an industry from being a technologist and a protector to being a business enabler,” Martino said. “In order to cross that chasm, the CISO has to earn a place at the table, by bringing business relevancy, and helping the business get to their goals faster.”