Last year broke records for data compromises, data breaches, and fraud. In fact, both 2020 and 2021 saw huge increases in fraud across the board.
Internet traffic literally doubled, and new phishing, spoofing, hacking, and fraud attempts emerged. Phishing attacks soared 220% in 2020, and the Federal Trade Commission reports that people lost more than $3.3 billion to fraud in 2020 — an increase of nearly $1.5 billion over prepandemic numbers. In 2021, US businesses suffered a 17% increase in data breaches since 2020. Meanwhile, businesses have worked to preempt and prevent fraud by identifying and prioritizing risks — and those risks involve fraudulent SMS, email, push notifications, fake landing pages, and more.
The result? The chief security officer (CSO) has become more influential at the C-level table. As the top security executive within an organization, a CSO is responsible for IT and corporate security as well as the safety and security of company data and assets. Some companies refer to this person as a chief information security officer (CISO) rather than a CSO, although many of the duties overlap. The CSO is also tasked with communicating a company's security status, needs, and challenges to management. CSO input is critical for communicating security risks to leadership — and even presenting to the board. If risks and vulnerabilities are not properly demonstrated to the board, these risks can't be prioritized at an organizational level.
Why should CSOs take a seat at the executive table now if they haven't already? How can they communicate with other C-level executives at the table? And how can CSOs work more closely with the C-suite to boost overall security within the organization? A few guidelines follow.
1. A defined stakeholder, a dedicated voice
Historically, security professionals have been viewed as a "blocker," or someone who inhibits the ability to deliver a product. In other words, when risk is identified, security says “no” to the potential project or product release, claiming potential risk to the organization is too great. The CSO needs to change this perspective by communicating that the overall mission is to enable business success by securing the organization even if those security protocols can come into direct conflict with another department's deliverable or project from time to time
The CSO can provide the right security-related guidance and background to help leaders make business decisions. This person should be willing to say: "We all know how important this product rollout is, but we're going to need to pause the release of this piece of software. It poses too much risk to the organization." The CSO should communicate that success of the business and security go hand in hand. All employees should be invested in supporting, maintaining, and respecting security practices to ensure success.
2. Communicating risk in a way everyone understands
At various points in my career, I worked with security leaders who were extremely technical with a very deep understanding of security vulnerabilities and the associated risks to the business. Unfortunately, these people didn't have the ability to communicate these risks "upward" or explain them in simple terms. The CSO should be able to actively "translate" the technical specifics of security risks in a language that other C-suite leaders can act upon.
A standardized framework can help illustrate security vulnerabilities and how they could potentially impact the organization. A risk register identifies a threat, outlines the probability it will affect the organization, and also presents overall potential impact. The CSO should maintain and share this risk register at the executive level — and at the board level. This person should also be able to prioritize identified risks and participate in discussions about the budget needed to resolve the high-priority issues in a timely manner.
The risk register should be broken down into specific sections that align with various business units and different stakeholders — infrastructure, Web applications, internal systems, physical security, etc. When you outline the direct consequences of a particular risk and which business units are affected, you open the dialogue with different stakeholders. You also convey how security touches every part of the business.
3. Identifying Risks Isn't Enough
Identifying, prioritizing, and communicating threats are only part of a CSO's role. How can a CSO mitigate and address risk in real time while helping the business achieve larger goals? Instead of rejecting all proposed projects due to risk, the CSO should work toward tangible, positive outcomes despite the risk that's been identified. After identifying the threat, the CSO should find a clear road map past the risk while ensuring that potentially affected business units are secure.
This ability to see security issues through an additional "business" lens can help the CSO be viewed as a business enabler rather than a barrier to progress. Over time, the CSO will be better understood and appreciated by C-level peers as someone who does their job while also speaking "the language of the business."
Our current environment of heightened risk, ever-increasing fraud, and constant alerts underscore that the days of security as a second-class citizen are over. CSOs are taking their rightful place at the executive table to help organizations navigate potential security threats with clarity, understanding, and perspective.