What CEO’s should know about the CISO role and its Security Program?
In previous articles, I have discussed the changing roles of the modern CISO and how the new job requirements of the CISO and their security teams are focused on providing risk management services to their organizations. Part of these earlier discussions with our community has focused on the threats facing businesses today and how CISOs can leverage technology, policy, and people to be more effective. However, there is still an executive leadership component I haven’t touched on, and that component is educating CEOs and leadership teams about the CISO role and cybersecurity in general within organizations. The following are discussion points I believe are critical for leadership to understand their enterprise security program, the CISO/CSO role, and the business value of cybersecurity.
1. Information Security is not an Information Technology (IT) problem — cybersecurity in its fundamental essence is about data and risk. It’s about the use of technology to access, acquire, process, manipulate, store, or destroy data. Yes, cybersecurity does use technology to manage the risk exposure of enterprise data. However, it also applies policies, security controls, frameworks, and people in this endeavor as well. I view cybersecurity and the job of the CISO and teams to provide enterprise risk mitigation and risk management services to their business. The CISOs role is not to own the business's risk but to understand the business’s strategic goals, its operations, its revenue processes, and how it uses technology to compete. With this insight, the CISO has visibility into the risk exposure of the business and makes recommendations on how to manage it. The company, which owns the risk, makes the final decision on how the risk will be remediated or accepted and the CISO proceeds to execute and monitor those decisions. This view is very different from the CIO’s role which is to deliver efficient enterprise IT services to support the business in achieving its strategic goals. As one can see, both use technology but for very different purposes. This is why I believe the CISO should be a peer to the CIO, so the business gets a more in-depth and level view of its technical and operations-based risk exposures.
2. Security is a Risk Management problem — as I mentioned above, cybersecurity is about risk. It’s about how technology is used and the data it creates. It is about who has access to that technology and data, are they authorized, do we have records of it, and what third parties have access to. It’s about having a methodical process based on a standard framework to measure risk, equate it to the financial impact to services, remediate the issues we decide to manage, and monitor the remaining problems, so they don’t impact the organization’s strategic operations. To do this effectively, I say to CEO’s your CISO should have experience in multiple domains to understand the interplays of disparate technologies, work processes, compliance requirements, and business operations. Then with this insight, the CISO should be able to convert this highly technical view on hazards to the business into a discussion on impact to services and customer operations. This is not a natural skill. However, it is one learned from years of experience, and it is the business value a mature CISO brings to a company.
3. Security doesn’t bring value in a box — a company’s security program should not be pushed to the side and constrained, it needs to be visible to all personnel in the organization and employees should know the CISO. A mature security program is one that is integrated across departments, assisting with risk management issues and scanning for vulnerabilities. A seasoned security program is one that all employees know they can call when they have problems or need to report something anomalous about their computer. Security by nature is about data and technology the crosses all phases of a business and the program and team that manages it needs to be involved and empowered to work in cross-functional teams and provide assistance where needed. I have seen numerous places where almost no one knows who is in charge of the security team, where they sit, or what services they provide. To me, this is a failure on the CISO for not evangelizing the worth of security to the business, and it’s a failure on executive leadership for not using this unique asset to its full potential.
4. The value of your security program is directly proportional to your support — security just doesn’t happen, you need a CISO who knows how to build a program that is tuned to the business's needs and you need the resources to support this program and your new security executive. Just hiring a CISO doesn’t protect the organization. However, if you engage a CISO and empower her to envision a strategic roadmap and then provide the resources for them to build their program, you are reducing the risks to your strategic operations as CEO. In fact, I believe an engaged CISO and security team offers the business the capability to be innovative in a more secure environment which will enable it to be competitive at reduced costs.
5. Security is a culture issue — the CISO is a change agent, security at times will be about changing the corporate culture of how things were initially done for the betterment of the company. As CEO you should publically support the CISO, I like to have something like a charter that states the security program has the support of executive leadership to make changes and manage the risk of the organization. Of course, it is then incumbent on the CISO to actually craft the programs and policies the company needs, evangelize the worth of these changes, and then collaborating with peers to implement them with support across the company. I have never worked anywhere in my 20+ years in IT or Security where I did not run into corporate culture resistance on at least one security project or new policy which is why the CISO must have executive leadership buy-in on the need for a CISO and security program.
6. Security isn’t a “one and done,” it’s a life-cycle — cybersecurity is a life-cycle, as the company grows and technologies and work processes change to meet business requirements so do the company’s risk exposure. It is this ebb and flow of strategy-technology-people-policy that demonstrates cybersecurity is a continuous process of inventory, assessment, scanning, remediation, and monitoring of risk. To the CEO this means just hiring a CISO doesn’t make you safe, you need to build a security program, implement the program, and collect metrics to measure its worth to the business. It is a continuous process and to do it efficiently, you as CEO need to partner with your CISO. You need to accept the CISO as a strategic executive that doesn’t provide a revenue stream but will allow you to sleep better at night and give you an innovative platform to implement new technologies securely. The CISO enhances your company’s ability to compete.
7. Security isn’t sexy, but your customers will appreciate you for it — with many of the new threats and breaches that are reported daily in the news cybersecurity is becoming the corporate program that companies are expected to fund and use to protect their customers. Obviously, to do this correctly, you need a CISO who is in tune with the business, its operations, and strategic plans. This means that executive leadership will have to spend the time to make sure the CISO is educated on the business environment of the company. With this information, the CISO can then build a competent security program that incorporates both the company's business needs and technical environments so they can better manage the organization’s risk portfolio. Again this is hard work that executive leadership must be a part of so the security program is aligned to fit what the organization needs to be resilient and manage its risks. The end result will be a security program that can better handle incidents and reduce their impact on customers and business operations.
8. Security is about discipline; the basics need to be done right, consistently — My final note, cybersecurity is a field of numerous disciplines managed by frameworks and security controls. In this process policies and work procedures are created that need to be followed methodically. Many of these procedures and guidelines are mundane and can be considered to be mind-numbing at best. With that said, if they are not completed, then security controls break down, and incidents soon follow. This scenario is the context behind the term “cyber-hygiene,” it is implementing basic security procedures and then actually doing them every day, in the same manner, to manage risk and protect the business. This is an example of the discipline a mature security program must follow, and the CISO must lead to keep the company secure, and both need executive leadership support to mature.
In closing, this is by no means everything a CEO or an executive leadership team should know about their CISO role or their company’s security program. My goal with this article is to start the conversation, if at least one CEO takes the time to talk with their CISO and at least one CISO takes the time to educate their executive team, then I have accomplished my goal.