Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Overcoming Appeasement: Think About Risk From the Business Out

For a couple of decades now, the career path of a cybersecurity professional has been evolving just like the rest of the tech industry. Years ago the top title was the dedicated “security officer,” who was generally also the CIO, the CFO, or some other officer of the company.  

For a couple of decades now, the career path of a cybersecurity professional has been evolving just like the rest of the tech industry. Years ago the top title was the dedicated “security officer,” who was generally also the CIO, the CFO, or some other officer of the company.  

Of course all the IT security pros felt that role should reside with them, so eventually it did, and even more eventually we created a role called the CISO, the chief information security officer.

The problem with the CISO role today is that it holds a C-level title but may not always be at the C-level. In your typical organization, you might have the CEO, the COO, the CIO, and then the CISO — a C-level title that’s three steps down the chain.

That’s not the C-suite, folks—it’s appeasement. It’s title inflation meant to quiet an increasingly important group that wants a stronger seat at the table.

The Role of Chief Information Security OfficerSo how does our CISO profession continue to evolve and gain that seat?

First, we have to stop giving the security community a bad name by being the “no” people. For too long we’ve had a centralized view that security is of higher importance than the business itself. We can’t keep taking an adversarial approach.

The CISOs who have been highly successful are those who made themselves an integral part of the business. Maybe they have a couple dozen compliances, but they’re not simply demanding compliance reports. Your most successful CISO is usually one whose primary goal is to make the business successful.

Any time we’re dealing with a critical business process, first and foremost that process needs to sustain. The CISO needs to start there, and develop a control profile designed to mitigate risk while enabling business to continue seamlessly.

How can you quantify that risk if you haven’t quantified the value to the business? That’s what compensating controls are about. It’s not about the FUD of what malware has done to other people. Successful CISOs find a way to mitigate risk without putting a cumbersome gateway on an important business process.

Advertisement. Scroll to continue reading.

The way to do that is to truly understand every process that powers the company. Before we ever do a risk analysis, it’s critical to know the business inside and out. Today it is a key skill to truly understand the business organism and be able to articulate how it lives. That means the entire business process — from somebody creating an order, to distributing something from a warehouse, to understanding the value of every cog that exists.

Knowing the business inside and out makes it easy to articulate areas of weakness. The real differentiator for a CISO who has a true seat at the executive table lies in that ability to correlate a real understanding of the business to threats and risks, and then communicate those threats back to the company in business language. Only then will executives understand the implications and impact of those threats and the relative importance of any mitigations.

In this way we become partners who justify and enable business decisions — while maintaining the position and authority necessary to have difficult conversations about risk when necessary.

As the CISO function continues to evolve, these skills are becoming table stakes for the position. There are currently millions of jobs and too few people to fill them. This is driving up salaries, which in turn attracts a broader pool of candidates. With that, it won’t just be IT professionals who are drawn to the CISO career path, but also MBAs and other business experts who understand the language of business and can learn security. 

For existing CISOs, the best way to approach your career today is by building your own business savvy. Partner with business groups to help them understand risk, and in turn improve your own understanding of the business logic that drives IT decisions. To take that next step and gain the ear of the C-suite, we must start to make that pivot — to build security from the business out. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem