Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:30 PM
Rick Holland
Rick Holland
Connect Directly
E-Mail vvv

How to Empower Today's 'cISOs'

Although many security leaders have a C in their title, not all are true capital-C "Chiefs." Here are three ways to live up to the job description.

Many security and risk leaders have an uppercase "C" in their title, but there is nothing "Chief" about them. They are executives in title only, and — just like the bottom three finishers in English Premier League soccer — these security leaders face relegation. For Americans, this is the equivalent of being a last-place finisher in Major League Baseball and your entire team gets sent down to Triple-A ball. To be successful and to be taken seriously by their other C-level peers, chief information security officers (CISOs) need a different approach.

I've worked with CISOs for many years, and as an analyst with Forrester Research, I was in a position to give many of them security program suggestions and advice. Which, to be honest, always made me feel like a bit of an imposter (like that friend without children who gives parenting advice). But now that I am a CISO myself and spend even more time with my peers, I find that many CISOs are actually "cISOs." After years of seeking to be elevated to the C-suite and get in front of the board, now given the opportunity, many CISOS are struggling with the transition.

Combining my years of experience as an industry analyst with my perspective as a CISO, here are three recommendations for empowering CISOs with a capital C.

1. Understand how your business generates revenue. To operate as a true "Chief," you must spend time talking to line-of-business leaders to truly understand how your company operates. With knowledge of how the business generates revenue and the people and technology involved, you can model how insiders, external adversaries, and competitors might disrupt your operations. You can then map out the appropriate security controls to minimize the implications and build resilience into your program.

2. Understand your business risks and how to mitigate. If you work for a public company, take the time to review your company's Securities and Exchange Commission Form 10K. Inside, you'll find a wide-ranging list of risks to the business — from supply chains and weather to geopolitics. Privately held companies have a risk governance committee maintaining a similar list. Even if cyber-risk isn't called out specifically, a full-fledged CISO will take the time to understand these business risks, map them to the cyber domain, and then determine how best to mitigate them.

3. Make the most of your board presentation. As a member of the C-suite, you now have an opportunity to present to the board. You finally have been called up to the big leagues, and you don't want to strike out. You need to understand what they want to know, and you need to communicate that information effectively. As a first step, develop a relationship with a board member that you can parlay into a board mentor. This mentor can give you guidance on how to interact with the other board members. Some board members will be more technical than others, but don't let that pull you back into your comfort zone of technical jargon. Use analogies business leaders can recognize to ensure you're communicating in a way that is meaningful to all of them. I frequently use film and television analogies to communicate key concepts; find the illustrations that work best for you.

Now that you've laid the groundwork for a successful board presentation, what specific metrics should you report on? Keeping in mind that you have a finite amount of time to present and you don't want to overcomplicate the message, I suggest you focus on the following areas:

  • Report on the program's overall maturity using an industry-accepted framework (e.g., ISO 27001 or the NIST Cybersecurity Framework) to measure and track maturity and governance. Provide a high-level update to the board — for example, that the organization is at 60% maturity based on the framework. This gives them confidence that you are working within a recognized structure and have a solid grasp of what the trend looks like.
  • Proactively control the narrative so as not to be seen exclusively as the bearer of bad news. Look for a "front page of the news" win to highlight, like a NotPetya or a WannaCry type of global event. Explain how the risk was relevant to your business and what your team did to mitigate risk.
  • Provide overall metrics on trends. There is nothing more relevant than using your own data to frame a high-level discussion about what incidents looked like during the reporting period. Specific metrics might include: if incidents are trending up or down and the cause; how many incidents you are dealing with; and how long it takes to identify an intrusion and remediate and recover. Again, remember to stay away from acronyms and jargon.  
  • Report on the top three risks you are working on. Control the narrative and relate these to the business so that your board will understand that you are more than just a cISO. Some examples that could be germane to your business:

a. The sales and marketing department is migrating from an on-premises customer relationship management system to a software-as-a-service equivalent, and you are working on managing the risks associated with the migration.

b. Planned merger and acquisition activity requires that you focus on preventing the financial details from getting into the hands of a competitor or threat actor.

c. The business is launching a new product that will account for 30% of net new revenue in the following year and you need to protect your intellectual property.

At a future board meeting, close the loop and report back on how the security and risk organization helped enable the success of strategic business activities you are involved in protecting.  

As a CISO, you have the opportunity you've longed for: to work closely with your peers at the C-level and interact directly with the board with the aim of demonstrating value to the organization and buy-in for new initiatives. You don't want to squander it and get relegated. By putting knowledge of the business and risks first and understanding how and what to communicate to the board, you can transition successfully.

Related Content:

Rick Holland has more than 14 years experience working in information security. Prior to joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Rick ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/30/2018 | 9:44:44 PM
C-suiters and c-suiters
In answer to this, there has been a trend of having CISO-equivalent jobs with far more junior job titles. 

In any case, part of the real root of the problem is that, for all of the hype of the latest C-whatever-O position, in most organizations it's a farce. The real capital-C C-Suite is the CEO and CFO, and sometimes the CIO, CMO, CTO, EVP of BizDev, and/or General Counsel/CLO.

The CISO role needs a seat at the C-suite table for all of its importance if managed appropriately -- but often it tends to be a gopher and scapegoat position.

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.