CISOs Need Backing, How to Engage the C-suite and Board, and It’s OK to Fail – BSW #315

The modern Chief Information Security Officer (CISO) has a difficult job. Amidst the myriad of malicious cyber threats attempting to infiltrate their organization, CISOs must also effectively navigate other murky waters: Engaging their C-suite and governing counterparts on matters of cybersecurity. It’s a tall task for which decades of technical training and programmatic cyber expertise alone are insufficient preparation.

Effectively engaging the C-suite is based upon simplifying the connection between cyber risk and business risk. This requires deciphering the impact of a cyberattack in a way that doesn’t portray a doomsday narrative, but still clearly outlines the severe ramifications it could pose on fundamental business goals.

The role of data security within the enterprise has been undergoing significant change. Particularly as competitive pressures around AI and advanced analytics initiatives mount, business leaders are often leveraging data without understanding or evaluating the associated risks.

Security and risk leaders can follow these best practices for effective data risk communication.

Step 1: Bring the listener in Step 2: Earn the right to be heard Step 3: Tell the risk story

Unless the CEO and other C-suite executives defer to the CISO's decisions on cybersecurity, is the CISO really running things?

The White House is considering a ban on ransomware payments, which could change the chief information and security officer (CISO) job. The ban would would elevate the cybersecurity conversation to the CEO, the CFO, and the board, and potentially end the practice of scapegoating CISOs when a breach happens. This is a significant shift: after Uber’s former chief security officer was convicted for his role in covering up a 2016 cyberattack, CISOs had more reason to worry of the personal liability that came with the job. Here’s how companies should prepare for this new landscape right now: prepare for the worst, make senior leadership own the cybersecurity conversation, and test their security posture and regularly audit internal processes and employee security training to pinpoint gaps in cyber readiness.

Those looking for quick solutions to the nation's deepening cyber skills crisis are unlikely to find them in the new National Cyber Workforce and Education Strategy document that the White House released this week.

But there are plenty of elements in the strategy that, if implemented as intended, could go a long way in addressing the skills scarcity over the long term, while also preparing future workers for cybersecurity careers, industry experts say.

Harvard Business School professor Amy Edmondson is probably best known for her work on psychological safety in the workplace. She has authored a number of books, including the forthcoming Right Kind of Wrong: The Science of Failing Well, and she spoke with HBR editor in chief Adi Ignatius about the right–and wrong–ways to fail. Experimentation and risk-taking are crucial for an organization’s success, but failing twice in the same way is probably a mistake.

Effective communication is an art that requires practice, patience, and a genuine desire to connect with others. By embracing active listening, empathy, and clarity, we can create stronger relationships and build a more harmonious world. Engage in meaningful conversations, communicate with compassion, and appreciate the power of effective communication in enriching your personal and professional life.