With cybersecurity now elevated to the top of business agendas following the rise in ransomware and other attacks, CISOs should be viewing their roles as influencers and educators, acting as strategic boardroom partners, as well as building security-first approaches across their organizations.
Meanwhile, organization attack surfaces have been growing for years, and the digital economy has become fragile and faces an inflection point for how to adapt and survive what some view as a cyber pandemic.
With this rapidly changing threat landscape in mind, CISOs must not only have solid technical knowledge, but they must also be expert translators converting security threats to business risks.
A CISO must make a positive impact on the business and, at the same time, empower employees to be a strong, frontline security perimeter. In the end, solely focusing on cybersecurity just won’t do the trick.
“We must set our focus on a business-first approach and use our cybersecurity skills to reduce business risk,” explained Joseph Carson, Advisory CISO at ThycoticCentrify, provider of cloud identity security solutions. “Otherwise, cybersecurity will continue to be seen as a cost instead of a value-add.”
He explained CISOs must invest time listening to their executive board and business peers to learn how they measure their organization’s success.
“Our role within cybersecurity is not to simply put technology in place for sake of security, but to put technology in place that contributes to business success — while ensuring cyber risks are either reduced or eliminated,” Carson said. “CISOs are suffering, and we need them to be successful.”
He said CISOs have “an image crisis” that is only getting worse, and they need to rebrand themselves and become enablers of the business and innovators of technology.
“In order for a CISO to succeed, we must change our path, and this means potentially rethinking our approach to cybersecurity,” he said.
That means starting with a “business first” approach, with the CISO becoming the bridge between the business and the IT security team to ensure that approach is made with every security decision.
“How does implementing a security strategy help your business, the executive team, your business peers and your employees be successful in their tasks and goals?” Carson said. “In the past, security was typically enforced on the business, typically creating a negative experience and slowing down employees trying to achieve their goals.”
Chris Morales, CISO at Netenrich, a digital IT and security operations company, pointed out each business is different, and not all data, infrastructure, applications, systems and source code are equally mission-critical or valuable for the organization.
“On the other hand, access to some seemingly less critical systems can serve as an entry point for cyber criminals in times where everything is connected, and one human or technical error can lead to crippling attacks – again that holistic aspect,” he said.
This means a CISO needs to work with the business units to define these risks and assign risk owners in the business units.
“The job of the CISO is risk advisory, not to control actions,” Morales said. “Managing risk and ensuring continuity takes an organization level commitment to a culture of resilience.”
He added many areas for improvement are operational, noting there is often a lack of proper planning and preparation for adversity or siloed teams without insight into systemwide operational interdependencies or aligning to business risk.
“Resilience brings the areas of information security, business continuity and IT operations together to produce a secure by design operational process supporting mission critical functions,” Morales said. “It is up to the CISO to work across all disciplines and educate the business on what impact actions have, and to create a culture of accountability.”
Carson also noted, while they must have sufficient technical knowledge, good CISOs must also be strong communicators.
That means when they speak with the IT security manager and then translate the security needs to the business, they must know when to not talk about cybersecurity and when to focus on business risks, how to reduce them and how to optimize return on investments.
“A good CISO must also listen to business peers about what their goals are and align their security plans with those needs,” he said. “Security must be seen as a service to the business.”
Overall, he said, a CISO needs to make security a fundamental core to the business, and employees must never be afraid to speak out when they see something suspicious.
“Promote a culture where employees are never afraid to ask for advice or report suspicious activity, even if it was the result of something they clicked on,” he said. “The earlier an employee reports something, the lower the potential impact and cost to the business it will have.”