Nobody needs to tell CEOs today that they can ill afford to be exposed to sophisticated cyberattacks or that defense against these attacks is the responsibility of the C-suite. Therefore, it’s no surprise that chief information security officers (CISOs) are rapidly becoming integral parts of corporate leadership teams.
Rising stature doesn’t make their job any easier, however, as they still face significant challenges.
The cost of a cyber intrusion and accompanying data theft can be huge and corporate reputations sullied. CISOs are under pressure to do the best job possible. And higher expectations of performance– and other lofty responsibilities -- will only increase in coming years. CISOs will have to become more proficient in data privacy matters and position cybersecurity as a business enabler.
Meanwhile, CISOs have yet to command much respect.
Although many CISOs today are part of the C-suite, surveys show they are still generally held in low regard by their colleagues. Too many other C-suite executives think their skill set is too narrow, and that they are non-strategic outside the realm of security and insufficiently fluent in business. After all, the ultimate goal of all business executives at public companies is to build shareholder value, not to merely oversee a specific function.
CISOs generally must educate executive management and boards on the dual needs to stymie potential cyber breaches and to invest resources in a chronically changing cybersecurity threat environment. This is good in the long haul – it mitigates the odds of a successful cyberattack – but this drain on resources can be troubling at public companies that face chronic pressure to maximize profits quarterly.
What CISOs Must Do To Succeed
To better fit into corporate environments, CISOs must move beyond monitoring, repelling and responding to cyber threats to become leaders who help create an organizational culture that liberally shares cyber risk ownership. They must also better integrate cybersecurity with the business overall and more strategically manage information risk.
And, too, they must appreciate the challenging nuances of their job – one that Fast Company has called “the hottest seat in corporate America today,” and not just because CISOs are under constant pressure to stop highly sophisticated attacks. Business issues pop up between CISOs and the board, and CISOs must become adept at addressing them.
Now that CISO’s provide periodic updates on cyber risks directly to the board of directors, rather than through the CIO, the cybersecurity budget is no longer buried under the IT budget. This makes it more visible – and transparency often leads to disagreements. CISOs, for example, sometimes have neither the decision-making nor purchasing power required to make a difference. At the same time, they are often viewed as convenient scapegoats in the event of a data breach.
At the root of some budget battles is the fact that cyber risks have nothing to do with the functional boundaries of the company. A CISO knows that a breach at a single system in a branch office can undermine the entire network. It is one thing for the board to know this, but another to accept it.
The reality, unfortunately, is that some board members and executives are simply not on the side of the CISO.
There are several reasons. One is that a CISO is sometimes viewed as a policeman, rather than as a partner, and may be creating roadblocks to corporate success. Another is that barely more than 20 percent of CISOs today report to the CEO, partly because the two disciplines usually sport substantially different backgrounds, mindsets and business objectives. This undermine CISO cachet. A third factor is that the security organization is often isolated from other areas of the business, inhibiting cross functional communication.
The Talent Shortage Compounds Problems
On top of everything else, almost all CISOs are forced to cope with a talent shortage -- a problem that often consumes a lot of time and distracts attention from the big picture. This problem shows no signs of easing. Frost & Sullivan recently predicted that there will be a shortage of 1.5 million security professionals by 2020, even greater than the case today.
CISOs obviously face a very competitive market in recruiting for talent. And the issue does not stop there. They also need to be great managers and mentors. To retain the best talent, CISOs must provide cyber professionals with opportunities to grow both in business and technology acumen.
How to Better Blend Into the C-Suite
So just what can CISOs do to blend in better and gain more respect?
For starters, they need to embrace the reality that almost all executives make risk-based decisions. With this in mind, CISOs can expand executive appetite for risk to include security technologies in support of business endeavors. CISOs should frame discussions to say that containing security risk improves the odds of good business outcomes.
A case in point is ransomware, among the most prevalent types of corporate cyberattacks today. Should an organization pay to fix a successful ransomware attack or not? This is typically costly, but often less so than the cost of data loss. Yes, extortion is bad. Downtime, however, is expensive and irritates customers. An enlightened CISO should weigh the pros and cons of particular situations and propose a well-crafted analysis and response.
In periodically addressing the board, the CISO should frame discussions in terms of dollars. For example, he or she should offer year-over-year comparison numbers showing outage from a security attacks, and compare that to the amount of money spent on cybersecurity that year or withheld. The CISO could also project how much theft of intellectual property could potentially cost the company, including investigative costs and the expense of public relations afterward, drawing upon historical data at other companies.
Five Key Strengths Needed
In summary, the CISO should regularly cultivate these five strengths:
* Business acumen and analytics
* Business-to-business communication
* Creativity and innovation
* People leadership
In the end, it’s all about establishing a leadership stance. Ultimately, CISOs are the champion for information security at a corporation. In that capacity, they should strive to become distinguished by the ability to define a security vision that makes the most sense, secure support from the board and C-suite, and access the talent and resources necessary to make their vision a reality. The broader employee population should also be engaged in cybersecurity.
Despite challenges, it’s only a matter of time before even more CISOs sit on the boards of public companies, raising the level of awareness and understanding on how to manage the operational and business risks associated with cybersecurity governance. In time, more experienced CISOs will be sought after to chair board of director risk committees, and that is a good thing.