Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Overcoming Appeasement: Think About Risk From the Business Out

For a couple of decades now, the career path of a cybersecurity professional has been evolving just like the rest of the tech industry. Years ago the top title was the dedicated “security officer,” who was generally also the CIO, the CFO, or some other officer of the company.  

For a couple of decades now, the career path of a cybersecurity professional has been evolving just like the rest of the tech industry. Years ago the top title was the dedicated “security officer,” who was generally also the CIO, the CFO, or some other officer of the company.  

Of course all the IT security pros felt that role should reside with them, so eventually it did, and even more eventually we created a role called the CISO, the chief information security officer.

The problem with the CISO role today is that it holds a C-level title but may not always be at the C-level. In your typical organization, you might have the CEO, the COO, the CIO, and then the CISO — a C-level title that’s three steps down the chain.

That’s not the C-suite, folks—it’s appeasement. It’s title inflation meant to quiet an increasingly important group that wants a stronger seat at the table.

The Role of Chief Information Security OfficerSo how does our CISO profession continue to evolve and gain that seat?

First, we have to stop giving the security community a bad name by being the “no” people. For too long we’ve had a centralized view that security is of higher importance than the business itself. We can’t keep taking an adversarial approach.

The CISOs who have been highly successful are those who made themselves an integral part of the business. Maybe they have a couple dozen compliances, but they’re not simply demanding compliance reports. Your most successful CISO is usually one whose primary goal is to make the business successful.

Any time we’re dealing with a critical business process, first and foremost that process needs to sustain. The CISO needs to start there, and develop a control profile designed to mitigate risk while enabling business to continue seamlessly.

How can you quantify that risk if you haven’t quantified the value to the business? That’s what compensating controls are about. It’s not about the FUD of what malware has done to other people. Successful CISOs find a way to mitigate risk without putting a cumbersome gateway on an important business process.

The way to do that is to truly understand every process that powers the company. Before we ever do a risk analysis, it’s critical to know the business inside and out. Today it is a key skill to truly understand the business organism and be able to articulate how it lives. That means the entire business process — from somebody creating an order, to distributing something from a warehouse, to understanding the value of every cog that exists.

Knowing the business inside and out makes it easy to articulate areas of weakness. The real differentiator for a CISO who has a true seat at the executive table lies in that ability to correlate a real understanding of the business to threats and risks, and then communicate those threats back to the company in business language. Only then will executives understand the implications and impact of those threats and the relative importance of any mitigations.

In this way we become partners who justify and enable business decisions — while maintaining the position and authority necessary to have difficult conversations about risk when necessary.

As the CISO function continues to evolve, these skills are becoming table stakes for the position. There are currently millions of jobs and too few people to fill them. This is driving up salaries, which in turn attracts a broader pool of candidates. With that, it won’t just be IT professionals who are drawn to the CISO career path, but also MBAs and other business experts who understand the language of business and can learn security. 

For existing CISOs, the best way to approach your career today is by building your own business savvy. Partner with business groups to help them understand risk, and in turn improve your own understanding of the business logic that drives IT decisions. To take that next step and gain the ear of the C-suite, we must start to make that pivot — to build security from the business out. 

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.