Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

How a CISO Can Be a Change Agent Within a Company

In some companies, the CISO has taken on a Rodney Dangerfield like character in that: It gets no respect. And it probably won’t until both the corner office and the boardroom view security as a business risk issue rather than a technology issue. Earning that respect and becoming a change agent within the company, however, may first require the CISO to engage in some change management of his or her own.

In some companies, the CISO has taken on a Rodney Dangerfield like character in that: It gets no respect. And it probably won’t until both the corner office and the boardroom view security as a business risk issue rather than a technology issue. Earning that respect and becoming a change agent within the company, however, may first require the CISO to engage in some change management of his or her own.

For starters, it’s time to contend with and overcome the perception that your role is merely a subset of the organization’s existing internal IT team, a misperception that can cause some in leadership positions to not fully appreciate all the issues for which you are responsible. One step in changing perception is changing communication as well. You need to communicate with C-suite executives in words they understand; in particular, how your office helps them to reduce risk and protect the company’s interests.

Changing Role of CISOWhen it comes to perception, let’s start with some low-hanging fruit. In spite of all the news accounts of high-profile data breaches and malicious attacks originating externally, most organizations (especially within the C-suite) still vigorously adhere to the adage “it won’t happen to us.” They view the “risk” (and this is key) as minimal and believe it is in the media’s best interest to inflate an attack’s frequency, extent or depth.

More significantly, statistics suggest that the vast majority of data loss events have almost nothing to do with for-profit, externally-based hackers. In fact, as Ponemon cited in a recent report (PDF), “a majority of organizations have lost sensitive personal information, and among these organizations, the biggest causes are internal and therefore something they could potentially control.” That finding alone flies in the face of what most CISOs are tasked with and can potentially diminish the role’s perceived value to the organization.

Finally, perception, particularly at the level of the boardroom, is still very much reality. And when you get to that level of an organization, communication must trump perception. After all, the average tenure of a CISO is 22 months. And typically they don’t get final say on budget. In fact, some around the table may see you merely as an extension of their own internal IT group which they fund mostly because IT improves employee productivity, thwarts downtime, which affects profitability and, in turn, impacts the bottom line. So right from the starting gate, your negotiating strength is limited by how your “audience” perceives you.

So, as a CISO, how do you put yourself in the best possible position to become a change agent? For starters try open and honest communication. To many in leadership roles, IT is technical and the individuals who support it largely speak in an entirely different language to that of the business. To achieve common ground you need to translate technical jargon into business terms they “get.”

That’s not to say that CISOs don’t deal with complex, technical things. They do get in the weeds. However, it is essential for a CISO to put this wealth of technical information into words that the CEO and other business leaders can understand and care about. In fact, in order for security to grow in importance with the enterprise, the CISO needs to be able to answer simple questions – and frame what’s at stake – for the front office, such as:

1. Am I more secure today than I was yesterday?

2. What is the greatest threat to our organization based on the way we work today and how we go about our business?

Advertisement. Scroll to continue reading.

3. What should I expect proper risk to look like?

4. What’s my best case scenario?

5. What should we budget in order to effectively manage risk? (as a take-away CEOs generally don’t know if they are spending too much or too little on security)

Answering those questions — and much like a lawyer who knows the answer to the question before he or she asks their client in open court — enables, empowers and engages a CEO to better understand the risk to the organization and why, as his administrator in that role, you are not only hardening internal security but also managing external risk.

As Stuart King writes in a recent post on Computerweekly.com, “for the CISO to achieve boardroom support, the role must become focused on risk rather than security and better able to communicate value: better metrics, better business cases, and better able to form partnerships with the key players in the organization. Only then will the CISO be allowed the same entrepreneurial role that is afforded to many chief information officers and where information security governance is baked into overall corporate governance.”

As we’ve seen, a CISO seeking to be a change agent for an organization must not only overcome perceptions where they are erroneous but also manage expectations where they properly apply. It also requires a well-rehearsed ability to communicate with the CEO, that just as he (or she) assumes risk for the business at large, you as CISO are assuming all risks associated with the information the business needs to protect. Positioned that way and expressed using common business language, it’s a win-win for the entire organization.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem