All chief information security officers are not created equal. Like the rest of us, each has their own areas of expertise and their own interests. And these differences could have a major effect on how they respond to your request or idea.
When cybersecurity was considered a technology issue, CISOs tended to have IT backgrounds. This hasn't been true for quite some time, however, as enterprises digitize, and the legal and business ramifications of security breaches can have a tremendous impact on other areas of an organization's operations.
Before you approach your company's CISO, it's important not only to do your research about the project you're proposing and to marshal support from elsewhere in the company — critical for success with any new endeavor — but also, especially, to understand which type of CISO you're dealing with.
Because, to communicate effectively with your CISO, you'll need to speak their language.
Different Strokes for Different CISO Folks
While there are almost certainly as many types of CISO as there are CISOs, I've narrowed them into three categories:
1. The Business CISO. This person considers the effects of security purchases, decisions, and breaches on the entire business. This type of CISO tends to focus on revenue, cost savings, reputation, and efficiency. They're also more likely to work in concert with other C-suite members, and to consult with them while considering your request.
Questions they might have include:
- If one of the threats you mention were to become a successful attack, how would that affect our revenue? What might our downtime be, and how much could that cost?
- What would be the effects on our company's reputation?
- How might what you're proposing help us to overcome shortages in our cybersecurity workforce or reduce our workload? How might it make the company more efficient, profitable, and secure overall?
To speak the business CISO's language, you'll fare best by discussing your project as a business enabler. People you'll want to meet with to marshal support include other C-suite executives and managers in other functions including finance, marketing, and human resources.
2. The Compliance CISO. This CISO type has a strong focus on legal matters and compliance with laws, regulations, requirements, and standards. Before approaching the compliance CISO, you may want to talk with your legal and audit teams and the chief risk officer, among others.
Compliance CISOs might be inclined to ask:
- How will what you're proposing help us become or remain compliant with the regulatory and legal frameworks that apply to us?
- How will it affect privacy, especially data privacy?
- How well does your proposal adhere to the laws and regulations in the countries where we do business?
3. The Technical CISO. This type could be the most challenging to address, especially if you aren't technically minded.
The technical CISO has come up through the ranks on the technology side. Perhaps they started as an engineer or a security engineer and know the ins and outs of the company's security infrastructure and architectures.
Regarding what you're proposing, if it's a new solution, they'll be interested in how it works. They'll want to know what's required to maintain it, which resources they'll need, and how much the maintenance will cost.
Other question they might ask include:
- Do we have the technical capabilities to accommodate what you're proposing — the hardware and other infrastructure as well as the technical expertise?
- Will we run the solution on premises or in the cloud? How much time and effort will it require to set up and run?
All these CISO types will certainly ask how your proposal stands to improve cybersecurity — that is, after all, their job. It's not the substance of what you have to say that changes with various CISO types, but the language you speak with them.
If threat intelligence is what you're proposing, for instance, all the CISO types would want to know how it works, what it will do, what it would cost, and so on.
But the technical CISO is much more inclined to want the nitty-gritty details: Which kinds of threats can this threat intelligence solution help us fend off or remediate? What do we need in our systems to prevent the threats we see from becoming risks or attacks? Does the solution you're proposing provide continuous monitoring and, should an incident occur, early warnings?
Get Your Security Ducks in a Row
Whichever type of CISO heads cybersecurity at your company, chances are they're busy much of the time. You may have difficulty getting an appointment. Why not make effective use of the waiting period?
First, make a list of questions, starting with the ones I've provided above, that you anticipate your CISO will ask when you meet.
Then, consider which people your particular CISO is most likely to speak with before deciding — and talk to those people yourself. Ask what they want or need in a solution like the one you're proposing. Talk to them about your idea and, if possible, get their support. To make change at your company, you need agreement from 10% of the rest of those in your enterprise, according to the website Rebels at Work.