Digital technologies have become more embedded in every aspect of business, especially with worldwide adoption of remote work as the new standard. More than ever, businesses need leadership with both technical knowledge and business-centric cybersecurity expertise. All of these changes, along with the increased scope of assets to be secured have propelled the evolution of the CISO.

Traditionally, CISOs oversee strategic, operational, and budgetary aspects of data management and protection. Translation: they have reached their position by demonstrating technology expertise, but now they are expected to also provide savvy business leadership.

Many CISOs lack a strong relationship with executive leadership to effectively champion strategic, long-term cybersecurity initiatives. I want to present ways for CISOs to translate cybersecurity needs into meaningful business initiatives that will get them the budget, people and technology they need.

Create a strategy you can articulate to the executive team

How does a CISO start thinking like an executive? The best way to “get a seat at the table” is to actually be relevant. Board meetings don’t include ground-level action items. Executives are concerned with the larger view of the business. They see the forest, not the tree. What’s more, they usually have a laundry list of 100s of items that are all “priority.” So basically, get in line. They have to prioritize everything, because they do NOT have an endless budget to burn.

As a CISO, you know the most pressing matters for your department and for the overall security posture of the company. However, your executive team will not see things in terms of technology. They don’t have time to become cybersecurity gurus.

What do you do? Bring a perspective that offers solutions. You must position and present your cybersecurity initiatives in the following ways:

  • Make them reasonable – Bring the top three high priority cybersecurity needs that the company can reasonably pay for or implement. Ask yourself if it fits into the budget, time frame and overall framework of the company.
  • Make them relevant – In the grand scheme of the business, the executive team is looking for something that is timely and will help the business. If it is an emergency item, then make sure you communicate that clearly. If it can wait, then it does not go on the high priority list.
  • Make them impactful – Your executive team will pay close attention to you if you bring a solution, not a complaint. As you prioritize your top cybersecurity needs, quantify how much of an impact they make on the business and how much value they will bring to your organization.

Create a cybersecurity strategy to prevent and respond to attacks

Generally, CISOs focus on security strategy. They work with stakeholders and direct reports to understand and stack rank risks and related threats, and establish and grow programs and capabilities to stop them. When a breach or significant threat is identified, they lead the charge to fix the problem. But now, CISOs need to think about not just security strategy, but long-term business strategy. Part of that means communicating business value and business risk better.

Evaluate cybersecurity tools

As they look at tools and develop security procedures, they are often reviewing multiple product sheets and comparison charts. Sometimes they take a shot in the dark and choose a tool that doesn’t fulfill the right need. There has to be a better way to evaluate these tools.

  • When looking at cybersecurity solutions, they should be evaluated on the following criteria:
  • Capability to deliver on what they’re designed for, practical security
  • Build architectural quality
  • Vendor and supply provenance
  • Compliance with your selected common security framework

Use a framework to guide strategic planning

Put technology aside and start with your framework. What are the requirements and needs of the organization with reference to cybersecurity? Start by looking at security categories and decide what controls need to be in place in order to have a strong defense ware posture.

There are several frameworks, but here is a list of some of the top ones:

Once you choose a framework, educate yourself on it and on what needs to be done as far as meeting the controls of this framework. As you understand the framework and the context of your business, you will be in a better position to make an educated decision on a cybersecurity tool.

Quantify risk

Find a risk quantification method to take that technical information and aggregate it into cyber risk scoring to speak to the business leaders of the companies. Put that information in terms of fiscal cost, then you will have a better footing for getting what you need. Provide empirical data and use technology that can allow you to do that.

Present your information to the C-suite in the following manner: If we don’t do ‘x’ then ‘y’ will happen and ‘z’ is the consequence if ‘y’ happens. The variable ‘z’ is the number that you need to present to your executive team. The consequences of a breach are far more detrimental than people think: reputational impact, PR impact, asset impact, etc. Paying out ransomware is only one facet of lost revenue from a cyber attack. Make sure that your strategy communicates the exact cost of vulnerability to the executive board.

Develop deeper relationships with peers and the Board

Historically, CISOs are an IT director who gets promoted. While they have incredible cybersecurity knowledge and industry longevity, their tech background does not always help them effectively communicate with the executive team. However, that is all starting to change as cybersecurity is coming to the forefront of business goals.

They should have a relationship with the Board; and they are responsible for the cybersecurity of the organization. Here’s what you need to do to put yourself in this position.

The first step towards developing a relationship with the executive leadership team is to start speaking their language and understanding their perspective. It can be difficult for a tech-centric CISO to make this critical shift in perspective from cybersecurity on a technical level to business-centric cybersecurity initiatives.

That’s why I developed the program, Be the Exception, to give you my perspective as a CEO with over 30 years of IT and cybersecurity experience. I’ll show you how to cross walk your cybersecurity needs to align with business-value for the Board and the tips I’ve learned for getting full approval for your vision.

Start creating the impact you want with this free, on-demand content, Be the Exception. Sign up now.

Nichole Kelly

Nichole Kelly

Vice President of Growth

Nichole Kelly brings over two decades of experience in growing organizations top line and bottom line revenue. As one of the leading marketing influencers she is the author of "How to Measure Social Media" and has traveled the world teaching marketers how to build and execute ROI-driven marketing strategies at every major marketing conference. Also an entrepreneur, Kelly was also the founder of SME Digital, a digital marketing agency that was sold to Renegade Marketing.

Kelly leads an active life of service and is the founder of The Bipolar Executive blog and podcast. This project is  designed to help shift the conversation around mental illness to one of mental wellness in Corporate America. 

Kelly holds a Bachelor’s Degree in Business Administration with a minor in Marketing from Saint Leo University.

Connect on my blog The Bipolar Executive

Connect on LinkedIn

Chris Schroeder

Vice President of Engineering, Co-Founder

Chris Schroeder has over 25 years of experience in large complex IT environments from the Fortune 500 to the federal government. Chris has an extensive technology background in mobility, infrastructure operations, and data analytics. Schroeder is a seasoned entrepreneur and co-founder of App47 and the Vice President of Engineering and co-founder of RealOps (sold to BMC).

Chris is an active volunteer in his community coaching boys and girls lacrosse, supporting high school STEM programs, and serving on the Pastoral Council. 

Schroeder holds a Bachelor’s Degree in Computer Science from Radford University and a Masters Degree in Technology Engineering from George Washington University.

Connect on LinkedIn

Sean McDermott

President & CEO, Founder

Sean McDermott’s curiosity for advancing technology began at his first job as a network engineer/architect installing and managing the first private internet for the U.S. Department of Justice. At a time when the internet was just taking off, McDermott was at the forefront and has continued to be on the cutting edge of technology leading Fortune 500 companies through the dot-com bust, 9/11 and the 2008 recession. Sean has over three decades of experience working with CIOs in the Fortune 500 to trail blaze innovation and protect the IT infrastructure of the largest commercial and federal organizations in the world. 

McDermott is a mission-driven, serial entrepreneur who founded Windward Consulting Group, RealOps, Inc. (sold to BMC), App47 and RedMonocle. He is also the founder of the Windward Foundation and Alzheimer’s Caregiver Alliance, an organization dedicated to easing the burden of caregiving for individuals and families touched by Alzheimer’s disease.

McDermott is a member of the Forbes Tech Council and has been featured in Security Boulevard, TechRepublic, IT Visionaries, APM Digest, Inside BigData, DevPro Journal, IT Toolbox and more. He  holds a Bachelor’s Degree in Electrical Engineering from Villanova University and a Masters in Engineering Management from The Catholic University of America. 

Connect on my blog Wheels up World 

Connect on LinkedIn