Security Experts:

How a CISO Can Be a Change Agent Within a Company

In some companies, the CISO has taken on a Rodney Dangerfield like character in that: It gets no respect. And it probably won’t until both the corner office and the boardroom view security as a business risk issue rather than a technology issue. Earning that respect and becoming a change agent within the company, however, may first require the CISO to engage in some change management of his or her own.

For starters, it’s time to contend with and overcome the perception that your role is merely a subset of the organization’s existing internal IT team, a misperception that can cause some in leadership positions to not fully appreciate all the issues for which you are responsible. One step in changing perception is changing communication as well. You need to communicate with C-suite executives in words they understand; in particular, how your office helps them to reduce risk and protect the company’s interests.

Changing Role of CISOWhen it comes to perception, let’s start with some low-hanging fruit. In spite of all the news accounts of high-profile data breaches and malicious attacks originating externally, most organizations (especially within the C-suite) still vigorously adhere to the adage “it won’t happen to us.” They view the “risk” (and this is key) as minimal and believe it is in the media’s best interest to inflate an attack’s frequency, extent or depth.

More significantly, statistics suggest that the vast majority of data loss events have almost nothing to do with for-profit, externally-based hackers. In fact, as Ponemon cited in a recent report (PDF), “a majority of organizations have lost sensitive personal information, and among these organizations, the biggest causes are internal and therefore something they could potentially control.” That finding alone flies in the face of what most CISOs are tasked with and can potentially diminish the role’s perceived value to the organization.

Finally, perception, particularly at the level of the boardroom, is still very much reality. And when you get to that level of an organization, communication must trump perception. After all, the average tenure of a CISO is 22 months. And typically they don’t get final say on budget. In fact, some around the table may see you merely as an extension of their own internal IT group which they fund mostly because IT improves employee productivity, thwarts downtime, which affects profitability and, in turn, impacts the bottom line. So right from the starting gate, your negotiating strength is limited by how your “audience” perceives you.

So, as a CISO, how do you put yourself in the best possible position to become a change agent? For starters try open and honest communication. To many in leadership roles, IT is technical and the individuals who support it largely speak in an entirely different language to that of the business. To achieve common ground you need to translate technical jargon into business terms they “get.”

That’s not to say that CISOs don’t deal with complex, technical things. They do get in the weeds. However, it is essential for a CISO to put this wealth of technical information into words that the CEO and other business leaders can understand and care about. In fact, in order for security to grow in importance with the enterprise, the CISO needs to be able to answer simple questions – and frame what’s at stake – for the front office, such as:

1. Am I more secure today than I was yesterday?

2. What is the greatest threat to our organization based on the way we work today and how we go about our business?

3. What should I expect proper risk to look like?

4. What’s my best case scenario?

5. What should we budget in order to effectively manage risk? (as a take-away CEOs generally don’t know if they are spending too much or too little on security)

Answering those questions — and much like a lawyer who knows the answer to the question before he or she asks their client in open court — enables, empowers and engages a CEO to better understand the risk to the organization and why, as his administrator in that role, you are not only hardening internal security but also managing external risk.

As Stuart King writes in a recent post on Computerweekly.com, “for the CISO to achieve boardroom support, the role must become focused on risk rather than security and better able to communicate value: better metrics, better business cases, and better able to form partnerships with the key players in the organization. Only then will the CISO be allowed the same entrepreneurial role that is afforded to many chief information officers and where information security governance is baked into overall corporate governance.”

As we’ve seen, a CISO seeking to be a change agent for an organization must not only overcome perceptions where they are erroneous but also manage expectations where they properly apply. It also requires a well-rehearsed ability to communicate with the CEO, that just as he (or she) assumes risk for the business at large, you as CISO are assuming all risks associated with the information the business needs to protect. Positioned that way and expressed using common business language, it’s a win-win for the entire organization.

Mark Hatton is president and CEO of CORE Security. Prior to joining CORE, Hatton was president of North American operations for Sophos. He has held senior roles with companies ranging from venture capital-backed, early-stage software vendors to a Fortune 500 information technology services and distribution organization. Hatton holds an MBA from Boston University, Massachusetts and a BA Communication from Westfield State College, Massachusetts.