Threat Intelligence

02:30 PM
Rick Holland
Rick Holland
Connect Directly
E-Mail vvv

How to Empower Today's 'cISOs'

Although many security leaders have a C in their title, not all are true capital-C "Chiefs." Here are three ways to live up to the job description.

Many security and risk leaders have an uppercase "C" in their title, but there is nothing "Chief" about them. They are executives in title only, and — just like the bottom three finishers in English Premier League soccer — these security leaders face relegation. For Americans, this is the equivalent of being a last-place finisher in Major League Baseball and your entire team gets sent down to Triple-A ball. To be successful and to be taken seriously by their other C-level peers, chief information security officers (CISOs) need a different approach.

I've worked with CISOs for many years, and as an analyst with Forrester Research, I was in a position to give many of them security program suggestions and advice. Which, to be honest, always made me feel like a bit of an imposter (like that friend without children who gives parenting advice). But now that I am a CISO myself and spend even more time with my peers, I find that many CISOs are actually "cISOs." After years of seeking to be elevated to the C-suite and get in front of the board, now given the opportunity, many CISOS are struggling with the transition.

Combining my years of experience as an industry analyst with my perspective as a CISO, here are three recommendations for empowering CISOs with a capital C.

1. Understand how your business generates revenue. To operate as a true "Chief," you must spend time talking to line-of-business leaders to truly understand how your company operates. With knowledge of how the business generates revenue and the people and technology involved, you can model how insiders, external adversaries, and competitors might disrupt your operations. You can then map out the appropriate security controls to minimize the implications and build resilience into your program.

2. Understand your business risks and how to mitigate. If you work for a public company, take the time to review your company's Securities and Exchange Commission Form 10K. Inside, you'll find a wide-ranging list of risks to the business — from supply chains and weather to geopolitics. Privately held companies have a risk governance committee maintaining a similar list. Even if cyber-risk isn't called out specifically, a full-fledged CISO will take the time to understand these business risks, map them to the cyber domain, and then determine how best to mitigate them.

3. Make the most of your board presentation. As a member of the C-suite, you now have an opportunity to present to the board. You finally have been called up to the big leagues, and you don't want to strike out. You need to understand what they want to know, and you need to communicate that information effectively. As a first step, develop a relationship with a board member that you can parlay into a board mentor. This mentor can give you guidance on how to interact with the other board members. Some board members will be more technical than others, but don't let that pull you back into your comfort zone of technical jargon. Use analogies business leaders can recognize to ensure you're communicating in a way that is meaningful to all of them. I frequently use film and television analogies to communicate key concepts; find the illustrations that work best for you.

Now that you've laid the groundwork for a successful board presentation, what specific metrics should you report on? Keeping in mind that you have a finite amount of time to present and you don't want to overcomplicate the message, I suggest you focus on the following areas:

  • Report on the program's overall maturity using an industry-accepted framework (e.g., ISO 27001 or the NIST Cybersecurity Framework) to measure and track maturity and governance. Provide a high-level update to the board — for example, that the organization is at 60% maturity based on the framework. This gives them confidence that you are working within a recognized structure and have a solid grasp of what the trend looks like.
  • Proactively control the narrative so as not to be seen exclusively as the bearer of bad news. Look for a "front page of the news" win to highlight, like a NotPetya or a WannaCry type of global event. Explain how the risk was relevant to your business and what your team did to mitigate risk.
  • Provide overall metrics on trends. There is nothing more relevant than using your own data to frame a high-level discussion about what incidents looked like during the reporting period. Specific metrics might include: if incidents are trending up or down and the cause; how many incidents you are dealing with; and how long it takes to identify an intrusion and remediate and recover. Again, remember to stay away from acronyms and jargon.  
  • Report on the top three risks you are working on. Control the narrative and relate these to the business so that your board will understand that you are more than just a cISO. Some examples that could be germane to your business:

a. The sales and marketing department is migrating from an on-premises customer relationship management system to a software-as-a-service equivalent, and you are working on managing the risks associated with the migration.

b. Planned merger and acquisition activity requires that you focus on preventing the financial details from getting into the hands of a competitor or threat actor.

c. The business is launching a new product that will account for 30% of net new revenue in the following year and you need to protect your intellectual property.

At a future board meeting, close the loop and report back on how the security and risk organization helped enable the success of strategic business activities you are involved in protecting.  

As a CISO, you have the opportunity you've longed for: to work closely with your peers at the C-level and interact directly with the board with the aim of demonstrating value to the organization and buy-in for new initiatives. You don't want to squander it and get relegated. By putting knowledge of the business and risks first and understanding how and what to communicate to the board, you can transition successfully.

Related Content:

Rick Holland has more than 14 years experience working in information security. Prior to joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Rick ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/30/2018 | 9:44:44 PM
C-suiters and c-suiters
In answer to this, there has been a trend of having CISO-equivalent jobs with far more junior job titles. 

In any case, part of the real root of the problem is that, for all of the hype of the latest C-whatever-O position, in most organizations it's a farce. The real capital-C C-Suite is the CEO and CFO, and sometimes the CIO, CMO, CTO, EVP of BizDev, and/or General Counsel/CLO.

The CISO role needs a seat at the C-suite table for all of its importance if managed appropriately -- but often it tends to be a gopher and scapegoat position.

Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.