[BreachExchange] CISO Should Stand For Chief Influence Security Officer

[Destry Winant]

https://www.forbes.com/sites/forbestechcouncil/2018/09/24/ciso-should-stand-for-chief-influence-security-officer/#74433547198f

More companies are elevating security executives to true C-level
status. Last year, about 65% of the largest enterprises in the U.S.
had a Chief Information Security Officer (CISO) on their payroll,
according to ISACA (via the Wall Street Journal), and more
organizations are considering moving their CISO out from the shadow of
the CIO. It’s a sign of the important and growing role of security in
an era of digital business and constant threats.

However, many are still treating their CISO like the brand-new coffee
table from IKEA: Sure, it serves a purpose, but it can be more about
appearances. Joining the C-suite gives security officers a seat at the
table and is a good first step, but it’s not enough; their voices need
to be heard and their plans need to be implemented. While the title
stands for chief information security officer, it might make sense to
reorganize the acronym to be chief security influence officer. The
highest priorities of this job are to influence the rest of the
executive team -- and the board -- about proper security and to make
sure that safety posture works hand in glove with overarching business
imperatives and strategies. Leave the technical day-to-day operations
to the security engineers and analysts on staff while you make sure
the C-suite is aware of the need for proper security measures and how
to achieve them.

Cybersecurity Challenges And Solutions

Many executives don’t really know what a cybersecurity threat fully
entails, assume that the protection they have is good enough and shift
the full responsibility to their IT organizations. Ignorance may be
bliss, but this type of thinking creates headaches and leaves an
organization at risk.

Another problem is that CISOs may not tailor their security strategies
to align with strategic business concerns. Sure, the team and its
leader are there to protect the organization, but being safe should
not come at the expense of turning away customers (e.g., through poor
user interfaces and onerous information access methods). It’s possible
to be secure, efficient and profitable all at the same time.

A CISO can exert influence and address these problems with the
following measures:

Follow Best Practices For Your Industry

Every company is different, and that applies to cybersecurity needs,
too. The industry can determine the threats that are most likely to
occur. If you’re in production, you might deal with ransomware; if
you’re in retail, you might be at risk for card skimming. It’s
important to determine what those risks are and what the security
goals are for your specific company.

If you’re funneling too much budget into endpoint protection when
you’d be better off diverting funds into file security, you’re going
to have inefficient security measures. Obviously, everyone is focused
on profit, but a Fortune 500 company may care more about stock prices
and shareholders, and a small to midsize business may care more about
customer satisfaction and retention. It’s important to understand both
the security and business goals in order to create the perfect
strategy.

Angle For CEO (And Board) Access

It’s great to have a seat at the executive table, but having the right
seat can make all the difference. According to a 2017 Ponemon study,
only 4% of CISOs report directly to their CEOs. This might not mean
they’re relegated to the boiler room, but it does exemplify that
there’s a suboptimal chain of command. There is no substitute for
having the ear of the CEO when it comes to balancing security concerns
with business objectives and ensuring security becomes a strategic
priority for the organization.

Successful baseball managers have an open line of communication with
their general managers in order to mesh strategy with finance, and
cybersecurity should be no different.

You Need A Communications Plan, Too

The CISO needs to break things down for the executive team using the
language of business. Your CEO doesn’t want to hear that the company
has a 43% chance of being breached and having the personal data of
hundreds of thousands of customers compromised. His response is going
to be, “So what?” Things need to be quantified.

Instead, you want to explain that because 600,000 customers are at
risk, the company could potentially lose X million dollars due to
noncompliance fines and lawsuits. If your company is publicly traded,
the CISO also must convey the potential effects of a negative brand
reputation on stock prices. In the cases of Target and Equifax, their
stocks took an initial beating, but they were able to recover.
However, as a result of the recent Facebook privacy debacle, the
hashtag #DeleteFacebook was born, and the stock price has suffered as
a result.

Once you have your CEO’s attention with the jab of potential loss and
damages, knock them out with the money they could save by implementing
measures to reduce the company’s cyber risk.

Being a CISO is tricky in a world where cyber threats are increasing
exponentially and businesses are struggling to keep up. Especially
when many executives may be unaware of technology, vulnerabilities and
potential consequences, it’s important to stay level-headed and show
them that bolstering cybersecurity limits financial risk and helps the
company maximize profits. The CISO must be the influential voice of
reason, using a combined knowledge of cybersecurity and business
acumen to set the tone for future security practices. It’s no longer
enough to focus solely on the technical aspects of security; to be a
truly effective CISO, you must understand the big picture and have the
ability to successfully convey the financial benefits of cybersecurity
to those writing the checks.