Many security and risk leaders have an uppercase "C" in their title, but there is nothing "Chief" about them. They are executives in title only, and — just like the bottom three finishers in English Premier League soccer — these security leaders face relegation. For Americans, this is the equivalent of being a last-place finisher in Major League Baseball and your entire team gets sent down to Triple-A ball. To be successful and to be taken seriously by their other C-level peers, chief information security officers (CISOs) need a different approach.
I've worked with CISOs for many years, and as an analyst with Forrester Research, I was in a position to give many of them security program suggestions and advice. Which, to be honest, always made me feel like a bit of an imposter (like that friend without children who gives parenting advice). But now that I am a CISO myself and spend even more time with my peers, I find that many CISOs are actually "cISOs." After years of seeking to be elevated to the C-suite and get in front of the board, now given the opportunity, many CISOS are struggling with the transition.
Combining my years of experience as an industry analyst with my perspective as a CISO, here are three recommendations for empowering CISOs with a capital C.
1. Understand how your business generates revenue. To operate as a true "Chief," you must spend time talking to line-of-business leaders to truly understand how your company operates. With knowledge of how the business generates revenue and the people and technology involved, you can model how insiders, external adversaries, and competitors might disrupt your operations. You can then map out the appropriate security controls to minimize the implications and build resilience into your program.
2. Understand your business risks and how to mitigate. If you work for a public company, take the time to review your company's Securities and Exchange Commission Form 10K. Inside, you'll find a wide-ranging list of risks to the business — from supply chains and weather to geopolitics. Privately held companies have a risk governance committee maintaining a similar list. Even if cyber-risk isn't called out specifically, a full-fledged CISO will take the time to understand these business risks, map them to the cyber domain, and then determine how best to mitigate them.
3. Make the most of your board presentation. As a member of the C-suite, you now have an opportunity to present to the board. You finally have been called up to the big leagues, and you don't want to strike out. You need to understand what they want to know, and you need to communicate that information effectively. As a first step, develop a relationship with a board member that you can parlay into a board mentor. This mentor can give you guidance on how to interact with the other board members. Some board members will be more technical than others, but don't let that pull you back into your comfort zone of technical jargon. Use analogies business leaders can recognize to ensure you're communicating in a way that is meaningful to all of them. I frequently use film and television analogies to communicate key concepts; find the illustrations that work best for you.
Now that you've laid the groundwork for a successful board presentation, what specific metrics should you report on? Keeping in mind that you have a finite amount of time to present and you don't want to overcomplicate the message, I suggest you focus on the following areas:
- Report on the program's overall maturity using an industry-accepted framework (e.g., ISO 27001 or the NIST Cybersecurity Framework) to measure and track maturity and governance. Provide a high-level update to the board — for example, that the organization is at 60% maturity based on the framework. This gives them confidence that you are working within a recognized structure and have a solid grasp of what the trend looks like.
- Proactively control the narrative so as not to be seen exclusively as the bearer of bad news. Look for a "front page of the news" win to highlight, like a NotPetya or a WannaCry type of global event. Explain how the risk was relevant to your business and what your team did to mitigate risk.
- Provide overall metrics on trends. There is nothing more relevant than using your own data to frame a high-level discussion about what incidents looked like during the reporting period. Specific metrics might include: if incidents are trending up or down and the cause; how many incidents you are dealing with; and how long it takes to identify an intrusion and remediate and recover. Again, remember to stay away from acronyms and jargon.
- Report on the top three risks you are working on. Control the narrative and relate these to the business so that your board will understand that you are more than just a cISO. Some examples that could be germane to your business:
a. The sales and marketing department is migrating from an on-premises customer relationship management system to a software-as-a-service equivalent, and you are working on managing the risks associated with the migration.
b. Planned merger and acquisition activity requires that you focus on preventing the financial details from getting into the hands of a competitor or threat actor.
c. The business is launching a new product that will account for 30% of net new revenue in the following year and you need to protect your intellectual property.
At a future board meeting, close the loop and report back on how the security and risk organization helped enable the success of strategic business activities you are involved in protecting.
As a CISO, you have the opportunity you've longed for: to work closely with your peers at the C-level and interact directly with the board with the aim of demonstrating value to the organization and buy-in for new initiatives. You don't want to squander it and get relegated. By putting knowledge of the business and risks first and understanding how and what to communicate to the board, you can transition successfully.