Digital technologies have become more embedded in every aspect of business, especially with worldwide adoption of remote work as the new standard. More than ever, businesses need leadership with both technical knowledge and business-centric cybersecurity expertise. All of these changes, along with the increased scope of assets to be secured have propelled the evolution of the CISO.
Traditionally, CISOs oversee strategic, operational, and budgetary aspects of data management and protection. Translation: they have reached their position by demonstrating technology expertise, but now they are expected to also provide savvy business leadership.
Many CISOs lack a strong relationship with executive leadership to effectively champion strategic, long-term cybersecurity initiatives. I want to present ways for CISOs to translate cybersecurity needs into meaningful business initiatives that will get them the budget, people and technology they need.
Create a strategy you can articulate to the executive team
How does a CISO start thinking like an executive? The best way to “get a seat at the table” is to actually be relevant. Board meetings don’t include ground-level action items. Executives are concerned with the larger view of the business. They see the forest, not the tree. What’s more, they usually have a laundry list of 100s of items that are all “priority.” So basically, get in line. They have to prioritize everything, because they do NOT have an endless budget to burn.
As a CISO, you know the most pressing matters for your department and for the overall security posture of the company. However, your executive team will not see things in terms of technology. They don’t have time to become cybersecurity gurus.
What do you do? Bring a perspective that offers solutions. You must position and present your cybersecurity initiatives in the following ways:
- Make them reasonable – Bring the top three high priority cybersecurity needs that the company can reasonably pay for or implement. Ask yourself if it fits into the budget, time frame and overall framework of the company.
- Make them relevant – In the grand scheme of the business, the executive team is looking for something that is timely and will help the business. If it is an emergency item, then make sure you communicate that clearly. If it can wait, then it does not go on the high priority list.
- Make them impactful – Your executive team will pay close attention to you if you bring a solution, not a complaint. As you prioritize your top cybersecurity needs, quantify how much of an impact they make on the business and how much value they will bring to your organization.
Create a cybersecurity strategy to prevent and respond to attacks
Generally, CISOs focus on security strategy. They work with stakeholders and direct reports to understand and stack rank risks and related threats, and establish and grow programs and capabilities to stop them. When a breach or significant threat is identified, they lead the charge to fix the problem. But now, CISOs need to think about not just security strategy, but long-term business strategy. Part of that means communicating business value and business risk better.
Evaluate cybersecurity tools
As they look at tools and develop security procedures, they are often reviewing multiple product sheets and comparison charts. Sometimes they take a shot in the dark and choose a tool that doesn’t fulfill the right need. There has to be a better way to evaluate these tools.
- When looking at cybersecurity solutions, they should be evaluated on the following criteria:
- Capability to deliver on what they’re designed for, practical security
- Build architectural quality
- Vendor and supply provenance
- Compliance with your selected common security framework
Use a framework to guide strategic planning
Put technology aside and start with your framework. What are the requirements and needs of the organization with reference to cybersecurity? Start by looking at security categories and decide what controls need to be in place in order to have a strong defense ware posture.
There are several frameworks, but here is a list of some of the top ones:
- NIST Cybersecurity Framework
- ISO 27001 and ISO 27002
Once you choose a framework, educate yourself on it and on what needs to be done as far as meeting the controls of this framework. As you understand the framework and the context of your business, you will be in a better position to make an educated decision on a cybersecurity tool.
Find a risk quantification method to take that technical information and aggregate it into cyber risk scoring to speak to the business leaders of the companies. Put that information in terms of fiscal cost, then you will have a better footing for getting what you need. Provide empirical data and use technology that can allow you to do that.
Present your information to the C-suite in the following manner: If we don’t do ‘x’ then ‘y’ will happen and ‘z’ is the consequence if ‘y’ happens. The variable ‘z’ is the number that you need to present to your executive team. The consequences of a breach are far more detrimental than people think: reputational impact, PR impact, asset impact, etc. Paying out ransomware is only one facet of lost revenue from a cyber attack. Make sure that your strategy communicates the exact cost of vulnerability to the executive board.
Develop deeper relationships with peers and the Board
Historically, CISOs are an IT director who gets promoted. While they have incredible cybersecurity knowledge and industry longevity, their tech background does not always help them effectively communicate with the executive team. However, that is all starting to change as cybersecurity is coming to the forefront of business goals.
They should have a relationship with the Board; and they are responsible for the cybersecurity of the organization. Here’s what you need to do to put yourself in this position.
The first step towards developing a relationship with the executive leadership team is to start speaking their language and understanding their perspective. It can be difficult for a tech-centric CISO to make this critical shift in perspective from cybersecurity on a technical level to business-centric cybersecurity initiatives.
That’s why I developed the program, Be the Exception, to give you my perspective as a CEO with over 30 years of IT and cybersecurity experience. I’ll show you how to cross walk your cybersecurity needs to align with business-value for the Board and the tips I’ve learned for getting full approval for your vision.
Start creating the impact you want with this free, on-demand content, Be the Exception. Sign up now.