The New Language Of A Highly Effective Cybersecurity Leader

Every organization is a potential target for a cyberattack. The impact can be devastating, from loss of data and customer trust to significant financial losses. In fact, the overall security environment has become so demanding that there has been a growing focus on developing a new breed of security leaders.

Organizations are looking for leaders that are able to not only design robust security systems to protect against the onslaught of cyberattacks, but are also able to develop an effective security strategy that aligns with the business. It is no wonder that the role of Chief Information Security Officers (CISOs) have evolved in the last couple of years, from technical security gurus in the back office to governance, risk and compliance managers with board visibility. In fact, one of the key characteristics of a highly effective security leader is to straddle that fence between technology and business, and communicate risks in the right language to the different stakeholders in the organization:

• Communications to C-suite and the board – Without support at the executive and board level, (and the organizational structure and budget that comes along with it), a security leader cannot execute on his or her strategy. While security practitioners may be worried about attacks, and details of an intrusion, board members and the C-suite are more worried about risks, compliance and availability.

According to the IBM 2013 Chief Information Security Officer Survey, each C-suite executive has a different security worry– “CEOs are most sensitive about negatively impacting brand reputation or customer trust. CFOs fret about financial losses due to a breach or incident. COOs lose sleep over operational downtime. Finally, CIOs have a broad set of concerns, including breaches, data loss and implementing new technologies”. A cybersecurity leader needs to be able to demonstrate how he or she is balancing business needs with security risks, and has to be able to translate these into metrics that are well understood at the C-suite and board level. The ability to show dollar return on security initiatives is critical to ensure continued executive support on security investments.

The good news is that the interaction at this level is increasing. According to this year’s Global Information Security Survey (PDF) from consultancy Ernst & Young, 35 percent of information security professionals report quarterly on the state of information security to the company board and the chief executive and about 10 percent report monthly. This is a significant contrast to last year, when no information security professionals said they reported to senior executives.

• Communications to security practitioners – While lines of business leaders or application developers may more easily consider initiatives that can enable the organization, security practitioners generally have a more risk-averse attitude and the first reaction is to say no to any new request that impacts how they’ve designed their existing security systems. The more practical perspective is a managing business needs and security risks. For example, having a completely closed, secure, wired-only network where every user needs to be physically in the building using only sanctioned, IT-managed, PCs bolted to the wall is just not a realistic way to address threats introduced in the network by mobile devices. A better mobile cybersecurity strategy is one where laptops, smart devices and tablets are allowed onto the network, but depending on the device, the user and the state of the device, different types of application access are allowed.

A cybersecurity leader must start with a clear understanding of current business objectives and future plans – from internal organizational changes such as mergers, acquisitions and a focus on new markets, to collaboration with external entities like partners, contractors, and countries of interest.

With this foundation, he or she can determine where the most important data resides, who should have access to them, how they should access them, what types of compliance requirements need to be addressed and determine what security options are possible. The visibility into security options provides an effective way to understand risk and reward tradeoffs.

Security innovation must be the enabler. Just as hackers continually refine their attack techniques, the only way to keep up with the new attack and threat landscape is to understand what technology arsenal is available. There is the propensity to adopt the latest “cool” point product that is the silver bullet to solve the latest security woes, but it’s better to consider selection criteria such as how the solution solves the problem holistically, operational flexibility and integration. For example, security solutions that deliver policies that enable, policies that are flexible and agile, and policies that can be managed easily will provide more value than a complicated point solution that solves one problem and requires exorbitant consulting services to deploy.

• Communications to users – An cybersecurity strategy is ineffective unless it is communicated effectively to users in the company. Cybersecurity leaders must communicate security processes frequently to all employees, and monitor acknowledgement of this in employee code of business records. Security awareness must permeate every level of the organization, and all employees must understand the appropriate use of organization assets, data and technology.

In summary, the most effective CISOs today can’t just be experts in security. Organizations need a versatile security leader that also possesses the business acumen to strategize and act as the security and business liaison. An effective cybersecurity leader speaks a new language– one that is a blend of technology and business.