COMMENTARY: Chief information security officers (CISOs) have heard loud and clear the message that they no longer have to function as the chief officer of “no.” But at the same time, boards and chief executive officers (CEOs) aren't looking for “yes” women and men.
They need risk management executives who can unfold the facets of cyber risk facing the business—both in narrative and meaningful risk metrics—and offer advice on how to minimize risk without obstructing business goals. That's true now more than ever for enterprises as they navigate a tougher regulatory scene, with the Security and Exchange Commission’s (SECs) cybersecurity rules putting the board and executives at public companies on the hot seat for greater accountability and disclosure of cybersecurity risks and material cyber events.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
All of this has converged to change what enterprises need from the top security executive today. Enterprises can no longer make do with technically-obsessed CISOs who have a poor grasp of organizationwide business goals. They can't depend on CISOs who are unable to measure or track cyber risks as they pertain to the balance sheet. And they can't navigate through rapid disclosure of cyber incidents to regulators and shareholders with CISOs who are unable to collaborate with peers and frame cybersecurity discussions in the language of business rather than of technical jargon.
In my experience as a cybersecurity investor of many years who talks to CISOs and business leaders every day, I've observed this evolution in what's expected—or at very least hoped for—from CISOs at large organizations today. These are three of the most important qualities that modern CISOs must have:
- Operate as business leaders with technical know-how, not the other way around.
Not too long ago, Gartner polled a healthy contingent of corporate directors about cybersecurity and a whopping 88% said they now think of cybersecurity as a business risk – and not a technology problem. Clearly, the perspective has already shifted at the top of the food chain, which means that boards and CEOs are going to need CISOs who can discuss cybersecurity on the same plane of understanding.
Enterprises need CISOs who are business leaders first. While CISOs need technical knowledge and ability, too many of these leaders are managing cyber from a technical perspective without understanding the big picture business risk. The CISOs who can't manage risk in the right context are at risk themselves of being marginalized.
- Focus ruthlessly on budget and financial calculations.
CISOs looking to make to make the jump from technical manager to business risk leader must recenter their work on financial calculations. I'm not just talking about keeping their own budget lean. It’s important to not waste budget, but it's also just management table stakes. CISOs must find ways to advise the business on assets at risk and make cyber risk calculations based on the financial risks to each of those assets—and the processes that they run.
Most CISOs would know the old security saw that they should not buy a million-dollar vault to protect a few dollars worth of assets. While it’s relatively easy to make bright line decisions, there are a lot of less obvious risk choices that need a whole lot more financial analysis to suss out the optimal paths. This means that CISOs need to measure the right things—they have to shift the focus of metrics shared to the board from those that center on threats and vulnerabilities to those that measure financial resilience. I expect we’ll see CISOs with savvy focus more on financial cyber risk quantification to measure and communicate potential financial impact to the board. This promises to help everyone make the right choices in cybersecurity program investment, and also make the best choices about cyber insurance coverage.
- Possess impeccable communication and collaboration skills.
CISOs who want to start punching above their current weight class in the executive world may need to reevaluate their communication and collaboration skills. Today, senior security executives typically do a poor job of communicating security risk to the C-suite and board. One survey shows that almost two-thirds of senior executives and directors report that their CISO’s direct communication skills are lacking – and 98% support funding for CISO communications and presentation training. Almost half say there's an immediate need for this training so CISOs can do better at helping the business anticipate threats, raise employee awareness, and communicate risk and the ROI of making security investments.
Another point I’ll add to that list is crisis communications: in the wake of the SEC's swift reporting mandates for material cyber events, CISOs must have the ability to lead communication efforts during these incidents.
Clearly, there’s a pressing need for CISOs to change their leadership DNA. It will take a concerted effort for old-school CISOs to change their mentality and skill sets to fill these market needs. CISOs and aspiring CISOs who ignore these trends will do so to the detriment of their future career path.
Bob Ackerman, founder and managing director, AllegisCyber Capital
Editor’s Note: This is the first of three Monday morning columns on the changing role of the CISO.
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
