The Time Has Arrived For CISO’s to Achieve Real C-Suite Status
The Time Has Arrived for CISOs to Achieve Real C-Suite Status
David Lammert/Pinnacle Placements Security Recruiting Firm
Prior to March of 2020, corporations were racing forward with the global wide digital transformation at the same time many were enjoying record economic growth. The focus for the Chief Information Security Officer (CISO) in these organizations was to prevent breaches, reduce risk, and keep pace with the digital transformation underway. In other words, don’t stifle growth and innovation and make sure we aren’t harmed by a security breach.
However, some high-profile breaches, the global pandemic, and telework transition continue to change the focus of the CISO. In addition to executing an effective information security strategy the necessity to contribute as a C-level collaborator rises by the day.
These changes along with the responsibility to smoothly guide the information security function during the pandemic, shutdowns, and transition to remote work continue to elevate the CISO profile and responsibility for the organization’s foundation to bounce back.
Today’s top-tier CISO’s must be business-aligned security leader’s that view their job as a balancing act between the opposing effort of risk mitigation and business innovation. To succeed at this task, CISOs must be able to manage their own information-security organizations, but also establish and build relationships with their CEOs, boards of directors, and a variety of C-level peers.
The ability to communicate and collaborate both up and across the chain of command is a skill set that many executives lack however, it is a major shortcoming for many CISOs today. In the past, employers have been content hiring CISOs based mostly on technical knowledge and capability. They managed the servers and monitored security dashboards in an office tucked neatly out of sight. They emailed updates and supervised a relatively small staff, they rarely interacted with other internal business units and executives.
Emerging from Behind the Curtain
A rapidly moving evolution is underway. Today every major corporation’s board and C-level leaders are on the hook for cybersecurity risk mitigation and the fallout for poor practices and breaches. Boards are directly engaged to get a more complete understanding of what’s going on, and they don’t want to hear about it from the CEO or the CIO. They want to talk to the person in charge of Information Security.
This recent thrust of the cyber security leader into the spotlight is a lot of pressure and responsibility for someone who probably wasn’t hired for these types of interactions. Those CISOs who can do that well—are people in high demand. Information security leaders might be doing stellar work, but because they are not schooled in how to interact with and present a compelling case to board members, they risk being viewed as inadequate for their job.
The CISO’s peers have run this gauntlet in the past, pushed from relative obscurity onto the center stage. During the era of the Sarbanes-Oxley Act, board members wanted to hear from their company’s financial leaders to better understand the impact of financial statements and how to build robust internal controls. As technology became more central to corporate competitiveness, the board called on CIOs to help connect the dots between IT and business strategy. Many went through a trial by fire, and those who failed to meet to the challenge were often pushed out the door. In the past few years, the Chief Marketing Officer (CMO) has faced a similar gauntlet, with the advancement of digital marketing and transformation.
Like the CFOs, CIOs, and CMOs who came before them, CISOs are now learning how to work with a diverse group of non-infosec—stakeholders in a short period of time, each of which has their own specific interests in cybersecurity.
The large-scale use of technology in business today means that legal, HR, marketing, ethics, compliance, and the board must understand these cybersecurity technologies, along with their risks and implications. Today CSOs and CISOs must learn how to be team leaders and group leaders but also, collaborators. As part of the cyber security evolution, CSOs and CISOs are moving from being assessors, technical wizards, and compliance regulators to being business enhancers.
This means not only presenting before the board but more frequent engagement with the executive team, fostering more open dialogue among business unit leaders and quarterbacking the effort to influence corporate culture to recognize the value of information security. This is not an easy undertaking on the part of the CISO. They may encounter some resistance, even with the best of intentions.
The best place to start is with the CEO and CIO. It is likely the CEO is already taking an active role by seeking updates on cyber security. CISOs can learn what they need to do differently to be more effective in those conversations, seeking and accepting feedback on what works and what does not. The CIOs, especially the high percentage who have CISOs reporting to them—have a vested interest in helping their Information Security leaders develop their skills by managing vertically and horizontally within the organization. They should be an ally with an incentive to help, and they have likely lived through this experience themselves.
Value of Information Security
CISOs should capitalize on every opportunity they have to be a “security evangelist.” Speaking to all types of audiences to increase their capacity for explaining the value of information security in plain English.
Just as important to CISO success as learning how to speak to business leaders is taking the time to understand their goals. The Infosec function has long been viewed as the department of “no,” with the CISO being a brick wall to business success. To combat this perception, top-tier CISOs have made a concentrated effort to collaborate with key internal stakeholders early because the earlier information security is built into business strategy, the more likely that the CISO will be able to put effective practices in place. Then CISOs and their team are partners and allies, not disruptors. They are business leaders who are helping to ensure and safeguard confidentiality, integrity, and availability of a company’s processes and success.
To garner a reputation as problem-solvers rather than barrier builders, CSOs and CISOs identify listening as a key trait to understand the problems versus being viewed as the internal adversary who is making others jobs harder than they should be. By being an active listener, you build those relationships, so others believe you share common ground and the desire to reach the same goal.
While the incentive to sharpen his or her business-communication and collaboration skills lie with the cybersecurity leader, corporate leaders who have concerns that their security leaders aren’t up to the task should take an active role in helping them improve. Business savvy CISOs are still hard to come by, and companies may be better off growing their own than taking their chances on the open market.