The boardroom’s view of the CISO is the expert’s expert. We have traditionally been employed to ensure that the IT estate is secure and that the technologies chosen by the CIO meet the security requirements of the business, CISOs tend to be well educated and experienced, too. However, as security risks increasingly make their way on to the CEO radar, that expertise needs to be married with business acumen and leadership if CISOs want to take the opportunity to be more than information security policemen.
Research shows that 40 per cent of us hold a Master’s qualification or above, plus an average of 2.8 industry certifications. Almost 60 per cent start our careers in enterprise IT or IT security, which for some provides a 25-year run-up to the top job.
There is no doubt that cybersecurity experience and expertise is necessary. Hackers change their tactics faster than most organizations update their defences. To combat a dynamic, evolving threat, an equally dynamic and expert defence is needed. As CISOs, we are often detectives, working ahead on solutions that second guess hackers’ next moves.
But our role is to play in the present too. The most pressing job for many is uniting the organization around a common approach to data security. That requires business collaboration as much as breach prevention. While CIOs are used to working alongside the different lines of business, their CISO counterparts are still coming around to the idea of connecting their subject matter expertise to business value.
Much of the value we as CISOs provide is related to our ability to help business leaders balance the upside of risk with the possible downsides. If we make this data available to this partner, what is the risk of a breach versus the potential revenue gain? How does the business evaluate this decision objectively?
Compliance does not equal security. But outside the IT department it’s a common misconception that ticking boxes is enough. It’s our job as the CISO to engage the organization in a more strategic appraisal of their options. That means we must be business leaders and security experts—evangelists for best practice as well as leaders in their field. How can we strike a better balance?
We should start by splitting the role into three parts: business, people, and technology. On the business side, CISOs have to become executive-level operators with an intimate knowledge of business operations and strategy. Counsel must be practical and applied, to enable the c-suite to understand the true business impact of a given data security policy. For example, if CISOs locked everything down, most organizations could increase their levels of data security. But customer experience would suffer and business agility would be lost. Given the market the business operates in, the current environment and the strategy, what is the correct balance to apply?
The second part is people. CISOs must be leaders, not just of our own teams but acting as change agents across the whole organization, especially where potentially damaging behaviors are ingrained. Those leadership skills will be a valuable asset in the jobs market, too. Security is a hugely competitive field, and hiring good people is a perennial challenge for boards.
The third part, technology, is a given. CISOs must be experts in the technical nature of intrusion systems, cloud security, and perimeter defence. But it’s how we pull the three strands of business, people, and technology together that determines our success. How do we marry technical expertise with a measured appreciation of the many different nodes of information across the enterprise? Whether intellectual property, financial, customer, or partner data, our role is to work with the business to understand which is the most sensitive data, and establish rules and technical controls for handling it safely, without impacting negatively on revenue-generating opportunities.
Technical expertise is inarguable. But where CISOs have traditionally failed is leadership. Now CEOs are starting to listen, we must be ready to respond in c-suite language and use our unique perspective to drive change that creates real business value. If we can transform from corporate policeman into business enabler, it will be much easier to create a culture of best practice and shared risk across the entire business.
First published in IDGConnect