Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

The New Language Of A Highly Effective Cybersecurity Leader

Every organization is a potential target for a cyberattack. The impact can be devastating, from loss of data and customer trust to significant financial losses. In fact, the overall security environment has become so demanding that there has been a growing focus on developing a new breed of security leaders.

Every organization is a potential target for a cyberattack. The impact can be devastating, from loss of data and customer trust to significant financial losses. In fact, the overall security environment has become so demanding that there has been a growing focus on developing a new breed of security leaders.

Organizations are looking for leaders that are able to not only design robust security systems to protect against the onslaught of cyberattacks, but are also able to develop an effective security strategy that aligns with the business. It is no wonder that the role of Chief Information Security Officers (CISOs) have evolved in the last couple of years, from technical security gurus in the back office to governance, risk and compliance managers with board visibility. In fact, one of the key characteristics of a highly effective security leader is to straddle that fence between technology and business, and communicate risks in the right language to the different stakeholders in the organization:

Communications to C-suite and the board – Without support at the executive and board level, (and the organizational structure and budget that comes along with it), a security leader cannot execute on his or her strategy. While security practitioners may be worried about attacks, and details of an intrusion, board members and the C-suite are more worried about risks, compliance and availability.

Cybersecurity LeadershipAccording to the IBM 2013 Chief Information Security Officer Survey, each C-suite executive has a different security worry– “CEOs are most sensitive about negatively impacting brand reputation or customer trust. CFOs fret about financial losses due to a breach or incident. COOs lose sleep over operational downtime. Finally, CIOs have a broad set of concerns, including breaches, data loss and implementing new technologies”. A cybersecurity leader needs to be able to demonstrate how he or she is balancing business needs with security risks, and has to be able to translate these into metrics that are well understood at the C-suite and board level. The ability to show dollar return on security initiatives is critical to ensure continued executive support on security investments.

The good news is that the interaction at this level is increasing. According to this year’s Global Information Security Survey (PDF) from consultancy Ernst & Young, 35 percent of information security professionals report quarterly on the state of information security to the company board and the chief executive and about 10 percent report monthly. This is a significant contrast to last year, when no information security professionals said they reported to senior executives.

Communications to security practitioners – While lines of business leaders or application developers may more easily consider initiatives that can enable the organization, security practitioners generally have a more risk-averse attitude and the first reaction is to say no to any new request that impacts how they’ve designed their existing security systems. The more practical perspective is a managing business needs and security risks. For example, having a completely closed, secure, wired-only network where every user needs to be physically in the building using only sanctioned, IT-managed, PCs bolted to the wall is just not a realistic way to address threats introduced in the network by mobile devices. A better mobile cybersecurity strategy is one where laptops, smart devices and tablets are allowed onto the network, but depending on the device, the user and the state of the device, different types of application access are allowed.

A cybersecurity leader must start with a clear understanding of current business objectives and future plans – from internal organizational changes such as mergers, acquisitions and a focus on new markets, to collaboration with external entities like partners, contractors, and countries of interest.

With this foundation, he or she can determine where the most important data resides, who should have access to them, how they should access them, what types of compliance requirements need to be addressed and determine what security options are possible. The visibility into security options provides an effective way to understand risk and reward tradeoffs.

Security innovation must be the enabler. Just as hackers continually refine their attack techniques, the only way to keep up with the new attack and threat landscape is to understand what technology arsenal is available. There is the propensity to adopt the latest “cool” point product that is the silver bullet to solve the latest security woes, but it’s better to consider selection criteria such as how the solution solves the problem holistically, operational flexibility and integration. For example, security solutions that deliver policies that enable, policies that are flexible and agile, and policies that can be managed easily will provide more value than a complicated point solution that solves one problem and requires exorbitant consulting services to deploy.

Advertisement. Scroll to continue reading.

Communications to users – An cybersecurity strategy is ineffective unless it is communicated effectively to users in the company. Cybersecurity leaders must communicate security processes frequently to all employees, and monitor acknowledgement of this in employee code of business records. Security awareness must permeate every level of the organization, and all employees must understand the appropriate use of organization assets, data and technology.

In summary, the most effective CISOs today can’t just be experts in security. Organizations need a versatile security leader that also possesses the business acumen to strategize and act as the security and business liaison. An effective cybersecurity leader speaks a new language– one that is a blend of technology and business.

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...