Dark Reading’s survey of CISO influence shows that the field has reached an inflection point. For a C-level security executive, it’s probably obvious: Most infosec leaders can feel there’s a revolution afoot without having to sift through the data to prove it.
As organizations push forward with digital transformation, cybersecurity is on everyone’s radar. Daily headlines of devastating cybercrime build awareness, but there’s lots more work to do. As a result, the role of the security chief is evolving, and the CISO’s importance continues to grow in the eyes of top executives and boards.
Though only 27% of security officers surveyed say they report directly to the CEO, that’s a much higher indicator of CISO influence than has been seen in other major studies conducted in the last few years. In this most recent snapshot, almost all — 97% — of CISOs and CSOs have at least some visibility to executive leadership.
This is a welcome change. Since the “C” in CISO stands for Chief, those in the C-suite share at least a few things in common: They are in direct charge of operational and financial performance within their areas of responsibility, and they answer to the CEO and board of directors in matters relating to growing the business.
Perhaps the survey’s biggest takeaway for today’s CISO is that until unless they speak to the business and take direct action in growing and maintaining profitable customers, they won’t earn their seat at the C-suite table.
The Good News
The data points coming out of this survey show that security leaders are valued, and the importance of cybersecurity to the business is integrated into almost every aspect of business process and planning. Unfortunately, the results are still mixed in terms of how others view security and the CISO, and there is often confusion about connecting security key performance indicators (KPIs) with business performance.
Getting the C-suite to listen is always a net positive, but plenty of inconsistencies remain. Almost a third in the survey say they are asked to provide on-demand performance updates, yet only 18% have access to continuous metrics. Another third say that security controls and management are still not integrated, and yet over half are required to pinpoint ROI for their security spending. For the most part, CISOs still struggle to mature their practices in reporting to the CEO and board. The good news here is that, when they do, they gain tangible authority and credibility.
The Three Do’s
There are three actions that CISOs must take to gain the credibility and confidence of their peers and stakeholders. The study confirms that if these actions are not taken in today’s cyber world, it’s an uphill battle:
1. Develop and manage key stakeholders. Walk the hallways — real or virtual — and talk to stakeholders about what is important to them. This kind of interpersonal relationship building is not normally associated with cyber types, and maybe it’s more “management by Zoom” these days, but it’s the same idea. CISOs must become strategic, trusted advisers to fellow officers and directors. Nothing can substitute for direct interaction to get people aligned to action.
2. Understand the business. Technical skills and expertise are no longer enough. The enterprise-specific nuances of compliance, risk management, threat modeling, detection, and response are now guaranteed to be different with almost every company. The extension of digital product life cycles forces the need for a more business-savvy approach. This puts pressure on the CISO to accurately align the cybersecurity program with the mission of the business and the needs of its customers.
It’s still true that perhaps 60% of a cybersecurity program can work across any company. It’s that 40% that’s turned into a wild card unique to every business, and where CISOs get into trouble if they don’t understand the business of the business.
3. Be able to demonstrate value. Measurement is moving toward the custom and qualitative in cyber, so connect risk management metrics to the nuances of the business, its products, services, supply chain, and customers. Again, understand what the organization is trying to mitigate, remediate, and manage, and be able to explain the why to peers who don’t understand cyber as well as an infosec leader does.
Come up with KPIs that track what risks the company is managing measured against business imperatives. Convince fellow executives that while all risk can’t be eliminated, they need to think in terms of management, and creation of operational resilience with a defensible risk posture that makes sense for the organization.
It’s Time CISOs Arrived
These three actions form the foundation of the security program, and how a CISO’s career and compensation path will follow. The Dark Reading research delivers confidence that security leaders’ influence and credibility are rising fast within the chain of command. Every CISO should focus on keeping up with the evolution from technical tacticians to business strategists, earning respect, and finally taking ownership of that seat at the table.
About the Author
Michael Eisenberg is a seasoned information security professional with more than 30 years of experience working across public and private sectors including two global Fortune 250 organizations (Aon and McDonald’s Corporation), the government sector and the US military. As Vice President of Strategy, Privacy, Risk at Coalfire, Michael leverages his experience through a range of security consultative services that help C-level officers build and improve security strategies and deliver cybersecurity programs. He received a master’s degree in computer science from Illinois Institute of Technology. Michael holds CISSP, CISA, CISM, and CRISC security certifications.
Copyright © 2021 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.