Threat Intelligence

02:30 PM
Rick Holland
Rick Holland
Connect Directly
E-Mail vvv

How to Empower Today's 'cISOs'

Although many security leaders have a C in their title, not all are true capital-C "Chiefs." Here are three ways to live up to the job description.

Many security and risk leaders have an uppercase "C" in their title, but there is nothing "Chief" about them. They are executives in title only, and — just like the bottom three finishers in English Premier League soccer — these security leaders face relegation. For Americans, this is the equivalent of being a last-place finisher in Major League Baseball and your entire team gets sent down to Triple-A ball. To be successful and to be taken seriously by their other C-level peers, chief information security officers (CISOs) need a different approach.

I've worked with CISOs for many years, and as an analyst with Forrester Research, I was in a position to give many of them security program suggestions and advice. Which, to be honest, always made me feel like a bit of an imposter (like that friend without children who gives parenting advice). But now that I am a CISO myself and spend even more time with my peers, I find that many CISOs are actually "cISOs." After years of seeking to be elevated to the C-suite and get in front of the board, now given the opportunity, many CISOS are struggling with the transition.

Combining my years of experience as an industry analyst with my perspective as a CISO, here are three recommendations for empowering CISOs with a capital C.

1. Understand how your business generates revenue. To operate as a true "Chief," you must spend time talking to line-of-business leaders to truly understand how your company operates. With knowledge of how the business generates revenue and the people and technology involved, you can model how insiders, external adversaries, and competitors might disrupt your operations. You can then map out the appropriate security controls to minimize the implications and build resilience into your program.

2. Understand your business risks and how to mitigate. If you work for a public company, take the time to review your company's Securities and Exchange Commission Form 10K. Inside, you'll find a wide-ranging list of risks to the business — from supply chains and weather to geopolitics. Privately held companies have a risk governance committee maintaining a similar list. Even if cyber-risk isn't called out specifically, a full-fledged CISO will take the time to understand these business risks, map them to the cyber domain, and then determine how best to mitigate them.

3. Make the most of your board presentation. As a member of the C-suite, you now have an opportunity to present to the board. You finally have been called up to the big leagues, and you don't want to strike out. You need to understand what they want to know, and you need to communicate that information effectively. As a first step, develop a relationship with a board member that you can parlay into a board mentor. This mentor can give you guidance on how to interact with the other board members. Some board members will be more technical than others, but don't let that pull you back into your comfort zone of technical jargon. Use analogies business leaders can recognize to ensure you're communicating in a way that is meaningful to all of them. I frequently use film and television analogies to communicate key concepts; find the illustrations that work best for you.

Now that you've laid the groundwork for a successful board presentation, what specific metrics should you report on? Keeping in mind that you have a finite amount of time to present and you don't want to overcomplicate the message, I suggest you focus on the following areas:

  • Report on the program's overall maturity using an industry-accepted framework (e.g., ISO 27001 or the NIST Cybersecurity Framework) to measure and track maturity and governance. Provide a high-level update to the board — for example, that the organization is at 60% maturity based on the framework. This gives them confidence that you are working within a recognized structure and have a solid grasp of what the trend looks like.
  • Proactively control the narrative so as not to be seen exclusively as the bearer of bad news. Look for a "front page of the news" win to highlight, like a NotPetya or a WannaCry type of global event. Explain how the risk was relevant to your business and what your team did to mitigate risk.
  • Provide overall metrics on trends. There is nothing more relevant than using your own data to frame a high-level discussion about what incidents looked like during the reporting period. Specific metrics might include: if incidents are trending up or down and the cause; how many incidents you are dealing with; and how long it takes to identify an intrusion and remediate and recover. Again, remember to stay away from acronyms and jargon.  
  • Report on the top three risks you are working on. Control the narrative and relate these to the business so that your board will understand that you are more than just a cISO. Some examples that could be germane to your business:

a. The sales and marketing department is migrating from an on-premises customer relationship management system to a software-as-a-service equivalent, and you are working on managing the risks associated with the migration.

b. Planned merger and acquisition activity requires that you focus on preventing the financial details from getting into the hands of a competitor or threat actor.

c. The business is launching a new product that will account for 30% of net new revenue in the following year and you need to protect your intellectual property.

At a future board meeting, close the loop and report back on how the security and risk organization helped enable the success of strategic business activities you are involved in protecting.  

As a CISO, you have the opportunity you've longed for: to work closely with your peers at the C-level and interact directly with the board with the aim of demonstrating value to the organization and buy-in for new initiatives. You don't want to squander it and get relegated. By putting knowledge of the business and risks first and understanding how and what to communicate to the board, you can transition successfully.

Related Content:

Rick Holland has more than 14 years experience working in information security. Prior to joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Rick ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/30/2018 | 9:44:44 PM
C-suiters and c-suiters
In answer to this, there has been a trend of having CISO-equivalent jobs with far more junior job titles. 

In any case, part of the real root of the problem is that, for all of the hype of the latest C-whatever-O position, in most organizations it's a farce. The real capital-C C-Suite is the CEO and CFO, and sometimes the CIO, CMO, CTO, EVP of BizDev, and/or General Counsel/CLO.

The CISO role needs a seat at the C-suite table for all of its importance if managed appropriately -- but often it tends to be a gopher and scapegoat position.

12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
PUBLISHED: 2018-10-16
Z-BlogPHP (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.