The role of Chief Information Security Officers (CISO) is evolving and requires a complex skill set. Long perceived as cost center that constrains the business in order to reduce losses from cyberattacks and to meet regulatory compliance, cybersecurity is now transforming into a critical function that must contribute to overall competitiveness.
It is a mindset change. CISO’s will continue to manage the risks through establishing and enforcing policies, but now must also help the organization seize opportunities and be successful. The next generation of CISO’s will position themselves as an enabler for the business to move faster, build trust, and remain effective in the eyes of shareholders and customers.
I had a conversation with HMGStrategy recently where they asked 3 probing questions on how the best CISO’s are transforming themselves and their organization to meet these new expectations.
What should be the role of the CISO in helping the organization to reach its future state?
The CISO’s job is to oversee and manage cyber risks of the organization. They play a crucial role in helping to determine the optimal level of risks that should be sought, advocating for the necessary support, and implementing effective controls to achieve the goals in the face of intelligent adversaries. It is a job of balancing risks, costs, and usability for a value-added benefit to the organization.
It is not easy. Cybersecurity is wrapped in a blanket of ambiguity, fear, and sometimes disbelief. The threats are vague, impacts are unpredictable, and the risks are difficult to determine. As the adage goes: “Security is not relevant, until it fails”.
Understanding and describing the challenges and opportunities is demanding but absolutely imperative. Executive management is hesitant to support initiatives without definitive data, employees are resistant to accept added friction to their workloads, and customers are not appreciative of additional controls which may cause delays to product releases or undermine feature usability. The value must be understood to gain support. A balance between managing risks while not stifling business innovation is the key to success.
How can CISOs help the enterprise to strike a balance between fostering innovation while protecting its assets and intellectual property?
It must all start with the business goals. Risk is managed not eliminated. The real mission is to achieve an optimal balance between risks, costs, and usability/productivity impacts. Although security can be seen as an inhibitor to running the business and a cost sink, in actuality it has long-term value to enable the organization to strategically move faster by avoiding incidents, liability exposure, reputation loss, and costly impacts. If done correctly, security becomes part of the foundation that imbues consumer trust, which is a competitive advantage.
All levels of the organization, starting at the top, must be bought-in to the value. Nobody wants the business to be wounded. Articulating the risks and presenting reasonable controls can go a long way to forge an acceptable plan. The CISO is the trusted expert and advocate to facilitate this education and drive to fruition. Defining the desired level of risk then becomes a collaborative effort where choices and acceptable tradeoffs are made in such a manner that everyone can be supportive.
Why do different organizational dynamics call for a certain style of CISO?
As the first order challenge is to communicate the value proposition in terms of the business goals, it requires a CISO who is fluent in both translating risks and understanding desired mitigations. Every company is different. They operate in markets that are subject to different regulations, have varying communication styles and hierarchies, and fluctuate in how the leadership may pursue its goals. These are all important factors that affect how a CISO can navigate successfully.
Healthcare and Financial companies are very concerned with regulations and privacy. They want industry specific leaders who have experience with meeting legal requirements. A highly technical company may only respect a CISO who possesses a deep understanding of engineering and can converse on equal terms. Startups are most focused on agility and financial survival. They want a CISO who can move quickly to mitigate, accept, or transfer the necessary risks that reduce friction to getting initial products to market. Companies with strong brands are adverse to negative public sentiment and want a security leader capable of greatly reduce the risks of incidents. Organizations who heavily invest in R&D desire a CISO that is an expert in protecting Intellectual Property. Large corporations expect management experience and a professional aptitude in communicating to advisory boards, media, stockholders, and customers. The list goes on.
All told, there is not a single perfect archetype. A good CISO must have the security chops, communication skills, and business expertise to fit the organization they serve as it pursues its business goals. The CISO is a leadership role and it is essential to work collaboratively with other executives in order to achieve success in sustainably delivering the optimal balance of risk management for the benefit of the company.
I will be speaking at the upcoming HMG Strategy CISO Executive Leadership event in Silicon Valley on March 21st. It is a summit tailored for CISO’s to discuss challenges and share insights. I will lead a panel talking about new technologies and how they will affect the CISO’s role. CISO’s are welcome to attend this free event to share, network, and collaborate. Together, we are stronger in facing the emerging cybersecurity challenges of our industry.