Gone are the days when a chief security officer (CISO) could remain a behind-the-scenes player, tasked solely with responsibility for an organization’s technology operations.
Cyber attacks, ransomware and privacy are no longer niche issues and lost customer trust due to a security breach can lead to major damage to brand and bottom line alike. That’s why as more enterprises digitize their data, CISOs are being asked increasingly to step outside their traditional comfort zone and work more intimately with C-suite executives and company boards.
This is a transformation that needs to happen if companies are going to bridge an unnecessary divide that’s grown up over the years, sometimes leading to a dialogue of the deaf between different parts of the same organization.
But how can CISOs effectively communicate business impacts with their executive team and board while still demonstrating their technical competence and security expertise? What tools can they use to better communicate? What are the different roles they need to fulfill to survive a crisis? Let’s take a closer look.
Aligning Security Operations with Business Objectives
Just how aligned are CISOs with an enterprise’s core business operations? This remains the proverbial work in progress. When the Ponemon Institute studied the evolving role of CISOs and their importance to their businesses, 60% of respondents said their organizations’ security was considered to be a business priority, but only 22% confirmed that security was being integrated with business functions. And that, according to Ernie Hayden, a security consultant and four-time CISO, constitutes a serious obstacle.
“It’s absolutely imperative that CISOs understand the business,” he said. “Without that, they can’t do their jobs, even the most basic things like understanding which data is important and needs to be protected.”
This can be particularly problematic when you consider that only 18% of CISOs have a management background or as much work experience as members of their board and C-suite. All the more imperative, then, that CISOs spend more time with their enterprise’s business executives and boards and also change their traditional ways of communicating with them, in order to better learn the business.
“The CISOs who fail and don’t survive are the ones who come into the board room or executive suite and start ranting and raving about things like packets and switches,” Hayden said. “What they need to do instead is learn about the business and talk about the business impacts of security. For example, they can explain the newest emerging threats and detail the precise ways their business can be hurt by them, perhaps by using examples in the news.”
Learning Better Ways to Communicate
CISOs also need to use the right tools for communicating with executives and board members, which Hayden says are Microsoft Word, PowerPoint and Excel. As for the kind of security and technical information they’re communicating, he’s a big believer in the keep-it-simple rule: “Keep it elementary and rely heavily on metaphors.”
Also, it’s important to be proactive and not wait to talk to executives and board members after the company has been attacked. Instead, Hayden suggested regular check ins with their opposite numbers on the business side so that CISOs become part of the company’s everyday operations.
Chris Veltsos, a professor in the Department of Computer Information Science at Minnesota State University, echoed that approach. In a recent post on how to improve the CISO-Board relationship, Veltsos attached major importance to increasing the amount of interaction between CISOs, the board and the C-suite to “build and manage the trust that the organization’s leadership and customers rightfully expect.”
“Such interactions will also provide the CISO with the opportunity to determine the level of background knowledge board directors have about cyber security,” he continued. “For some, interactions may need to start at a basic level, such as with tablets and smartphones, and cover the risks inherent in all technologies.”
Taking Their Turn in the Spotlight
Over the years, there have been periodic calls for CISOs to become true C-Suite business leaders. But with cyber attacks getting more frequent and more destructive, there’s more urgency speed this transformation.
Indeed, CISOs are most visible during crises like cyber attacks, and are judged based on how they respond to them. And that’s where better and constant CISO interaction with the board and C-level executives pays off.
Using the information gleaned from those relationships, CISOs can take center stage and fulfill the multiple roles required of them. That includes internal interactions with stake holders in the business, dealing with newspapers and other aspects of public relations and external communications, and understanding the regulatory implications of the crisis if the business is a heavily regulated one.
Communicating better and more regularly with the board and top executives will help someone become a better CISO because they’ll be able to assume a more holistic view of the business, according to Hayden.
“The board and executives don’t really care if you’ve got a degree in computer science and 120 computer science certifications,” he said. “They want to see that you can solve security problems in ways that benefit the business. Ultimately, they don’t care about technology. They care about end results.”
If you found this information useful, you may enjoy:
- CISOs with Business Chops
- How Best to Communicate with Your Board of Directors on Your Company’s Security Posture
We encourage you to share your thoughts on your favorite social platform.