Despite their immense strategic importance, CISOs can face immense challenges getting Board buy-in. Here are ways to overcome the impasse…
Chief Information Security Officers (CISO) have one of the most difficult and challenging jobs in any business today. They typically work hidden in the background, leading a combination of security and operation teams charged with keeping critical systems and sensitive data protected from cyber criminals and malicious insiders.
They are constantly on call and under pressure to ensure systems are updated and patches applied, to control and secure privileged access—and to deliver cyber security awareness training and satisfy rapidly evolving compliance mandates and regulations.
Yet CISOs, along with their teams, do so much more than act as the company’s watchdogs. They add significant business value, enabling the organization to grow and evolve safely, and providing a route to delivering real competitive advantage without compromising security. To do this, they must be empowered to succeed with the resources and budget they need to protect the business. However, all too often, CISOs are disconnected from the wider business goals and often report difficulties in articulating their success with others in the organization.
To overcome this challenge, CISOs need to have a “people & business first” approach. This includes communicating with non-IT professionals, such as the C-suite, in language that is jargon-free and business orientated, as well as making security decisions based on the likely impact on their firm.
Struggling to align IT security initiatives
A recent global study of more than 500 IT security decision makers by Thycotic had discovered that over half of respondents (52%) believed their organization struggled to align IT security initiatives to wider business goals. This is perhaps unsurprising given that more than a third (36%) are unclear as to what these goals are.
This issue of poor visibility of goals is not a one-way street. The research also showed that IT security teams can have difficulty in demonstrating the value of their work to others in the organization. More than four in 10 (46%) respondents admitted that they have no way of measuring how previous security initiatives made a difference to the business overall.
However, the ability to demonstrate success in terms of value to the business is exactly what a board needs to see if they are going to make any informed decisions on how much they should invest in IT security. Nearly half of those surveyed (48%) said that the biggest difference to how IT security budget is allocated is evidence of the success and ROI of previous security initiatives.
Therefore, it is clear that communication can be a serious issue, with IT security teams often disconnected from the rest of the organization. This is understandable: cyber security teams are often over-stretched by the pressures of having to keep an organization safe from cybercriminals or malicious employees, keeping critical systems running and meeting regulatory demands.
In the survey, more than four in 10 (44%) respondents said they do not have a clear vision of what other business departments are trying to accomplish, while around the same number (43%) stated that they do not have business goals communicated with them. This is clearly not only bad news for IT security, but for the organization as a whole.
Taking a “people & business first” approach
The change must come from within: by taking a “people & business first” approach, CISOs can demonstrate their value to the wider organization.
To achieve this, CISOs firstly need to take the time to listen to what the priorities of others in the business are, and what are considered as measures of success. In this way they will be able to demonstrate how the technology they are implementing not only makes the organization more secure, but also helps others meet their goals.
How the IT security team achieves this needs to be communicated to others within the organization so that they can realize the value the department brings. This starts with the CISO being able to explain clearly to the board, in parlance that is understood, about what the department is doing to protect the revenue of the company—in effect becoming the “Chief Revenue Protection Officer”. They should avoid using vanity metrics such as the number of vulnerabilities patched or threats blocked because these can confuse non-technical colleagues. By taking this “business first” approach CISOs will be able to get Board buy-in for further security improvements and initiatives.
Great cyber security relies on great communication
CISOs and their cyber security teams need to ask questions such as “What is driving revenue in our business?” and “What do our customers expect from our business when it comes to cyber security?”
That means seeking out and querying those who are responsible for revenue (including the sales and marketing staff) and asking them.
- “Where does the sensitive data reside?”
- “What would happen if this data were compromised or not available?” and
- “How would that impact our revenue?”
To get broader support from colleagues, a company-wide IT security program should also be implemented to foster awareness around what is being done to tackle key security issues. This includes the appointment of Cyber Ambassadors who can turn technical jargon into plain language to help inform others of the security team’s goals, as well as building organization-wide co-operation to help forewarn of any suspicious activity, such as phishing attempts.
Ultimately, great cyber security is reliant on great communication. This is necessary not only to let colleagues know about potential risks, but also to ensure that security teams are empowered with the right resources to protect the business.