Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:30 PM
Rick Holland
Rick Holland
Connect Directly
E-Mail vvv

How to Empower Today's 'cISOs'

Although many security leaders have a C in their title, not all are true capital-C "Chiefs." Here are three ways to live up to the job description.

Many security and risk leaders have an uppercase "C" in their title, but there is nothing "Chief" about them. They are executives in title only, and — just like the bottom three finishers in English Premier League soccer — these security leaders face relegation. For Americans, this is the equivalent of being a last-place finisher in Major League Baseball and your entire team gets sent down to Triple-A ball. To be successful and to be taken seriously by their other C-level peers, chief information security officers (CISOs) need a different approach.

I've worked with CISOs for many years, and as an analyst with Forrester Research, I was in a position to give many of them security program suggestions and advice. Which, to be honest, always made me feel like a bit of an imposter (like that friend without children who gives parenting advice). But now that I am a CISO myself and spend even more time with my peers, I find that many CISOs are actually "cISOs." After years of seeking to be elevated to the C-suite and get in front of the board, now given the opportunity, many CISOS are struggling with the transition.

Combining my years of experience as an industry analyst with my perspective as a CISO, here are three recommendations for empowering CISOs with a capital C.

1. Understand how your business generates revenue. To operate as a true "Chief," you must spend time talking to line-of-business leaders to truly understand how your company operates. With knowledge of how the business generates revenue and the people and technology involved, you can model how insiders, external adversaries, and competitors might disrupt your operations. You can then map out the appropriate security controls to minimize the implications and build resilience into your program.

2. Understand your business risks and how to mitigate. If you work for a public company, take the time to review your company's Securities and Exchange Commission Form 10K. Inside, you'll find a wide-ranging list of risks to the business — from supply chains and weather to geopolitics. Privately held companies have a risk governance committee maintaining a similar list. Even if cyber-risk isn't called out specifically, a full-fledged CISO will take the time to understand these business risks, map them to the cyber domain, and then determine how best to mitigate them.

3. Make the most of your board presentation. As a member of the C-suite, you now have an opportunity to present to the board. You finally have been called up to the big leagues, and you don't want to strike out. You need to understand what they want to know, and you need to communicate that information effectively. As a first step, develop a relationship with a board member that you can parlay into a board mentor. This mentor can give you guidance on how to interact with the other board members. Some board members will be more technical than others, but don't let that pull you back into your comfort zone of technical jargon. Use analogies business leaders can recognize to ensure you're communicating in a way that is meaningful to all of them. I frequently use film and television analogies to communicate key concepts; find the illustrations that work best for you.

Now that you've laid the groundwork for a successful board presentation, what specific metrics should you report on? Keeping in mind that you have a finite amount of time to present and you don't want to overcomplicate the message, I suggest you focus on the following areas:

  • Report on the program's overall maturity using an industry-accepted framework (e.g., ISO 27001 or the NIST Cybersecurity Framework) to measure and track maturity and governance. Provide a high-level update to the board — for example, that the organization is at 60% maturity based on the framework. This gives them confidence that you are working within a recognized structure and have a solid grasp of what the trend looks like.
  • Proactively control the narrative so as not to be seen exclusively as the bearer of bad news. Look for a "front page of the news" win to highlight, like a NotPetya or a WannaCry type of global event. Explain how the risk was relevant to your business and what your team did to mitigate risk.
  • Provide overall metrics on trends. There is nothing more relevant than using your own data to frame a high-level discussion about what incidents looked like during the reporting period. Specific metrics might include: if incidents are trending up or down and the cause; how many incidents you are dealing with; and how long it takes to identify an intrusion and remediate and recover. Again, remember to stay away from acronyms and jargon.  
  • Report on the top three risks you are working on. Control the narrative and relate these to the business so that your board will understand that you are more than just a cISO. Some examples that could be germane to your business:

a. The sales and marketing department is migrating from an on-premises customer relationship management system to a software-as-a-service equivalent, and you are working on managing the risks associated with the migration.

b. Planned merger and acquisition activity requires that you focus on preventing the financial details from getting into the hands of a competitor or threat actor.

c. The business is launching a new product that will account for 30% of net new revenue in the following year and you need to protect your intellectual property.

At a future board meeting, close the loop and report back on how the security and risk organization helped enable the success of strategic business activities you are involved in protecting.  

As a CISO, you have the opportunity you've longed for: to work closely with your peers at the C-level and interact directly with the board with the aim of demonstrating value to the organization and buy-in for new initiatives. You don't want to squander it and get relegated. By putting knowledge of the business and risks first and understanding how and what to communicate to the board, you can transition successfully.

Related Content:

Rick Holland has more than 14 years experience working in information security. Prior to joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Rick ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/30/2018 | 9:44:44 PM
C-suiters and c-suiters
In answer to this, there has been a trend of having CISO-equivalent jobs with far more junior job titles. 

In any case, part of the real root of the problem is that, for all of the hype of the latest C-whatever-O position, in most organizations it's a farce. The real capital-C C-Suite is the CEO and CFO, and sometimes the CIO, CMO, CTO, EVP of BizDev, and/or General Counsel/CLO.

The CISO role needs a seat at the C-suite table for all of its importance if managed appropriately -- but often it tends to be a gopher and scapegoat position.

Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-17963. Reason: This candidate is a reservation duplicate of CVE-2018-17963. Notes: All CVE users should reference CVE-2018-17963 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-02-27
** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for...
PUBLISHED: 2020-02-27
Synchronet BBS 3.16c for Windows allows remote attackers to cause a denial of service (service crash) via a long string in the HTTP Referer header.
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-1000020. Reason: This candidate is a reservation duplicate of CVE-2017-1000020. Notes: All CVE users should reference CVE-2017-1000020 instead of this candidate. All references and descriptions in this candidate have been removed to...