With last month's DDoS attack on DNS provider Dyn being the latest reminder, cyber security is a critical business imperative.
Still, despite these well publicized examples available for all to see, enterprises are struggling to align their culture to the reality of today's threat landscape The CISO role is more important than ever, yet many enterprises are still lacking strong cyber security leadership. Even the federal government understands this announcing its first CISO in September 2016.
Part of the reason CISOs have been slow to truly join the ranks of the C-level exec is that cybersecurity “grew up” as check-box configurating requirements for various regulations. At the board level cybersecurity is still perceived as an IT issue and all too often remains shackled to IT.
If organizations want to effectively manage cyber risk, CEOs and boards need to change their view of the CISO as only an overseer of complex security gear, to a business leader that ensures the confidentiality, integrity and availability of their company's IT processes.
A good CISO needs to bottom line executive management on exactly what has to be done to reach a particular risk threshold and how much it will cost to get there. Corporate boards would be well served by a levelheaded CISO who provides regular updates on how risk is evolving and being managed across the IT stack. There is no spin in security and, frankly, it is not reported in terms of “hit” or “miss” as most IT projects are.
CISOs need to be invited to participate in discussions that determine a company's strategic action, as opposed to being called into provide progress reports. They need to be treated like a C-level person – not like a project manager called in to roll out the new email system. The CISO needs to have both the innate ability and be granted the authority to “own” cyber risk management for their company.
One variable that differs from company to company, that can make or break a competent CISO's ability to success, is the culture of the organization for which they work. CISOs need to be tapped into the source of authority and part of senior level dialogs. If they aren't and don't, they are at best hobbyists and actively damaging at worst.
For CISOs the corporate culture is the most important thing to understand, align to and integrate with. They need to understand the business and not fall back on the jargon-laced language of the security department that causes eyes to glaze in the boardroom. To establish themselves as allies and partners to the board, CISOs need to embrace a new set of language and business skills.
There is no silver bullet to bridge the culture gap that currently exists between CISOs and the board, and right or wrong, it's not going to happen unless the CISO can prove that he or she is worthy of that respect and authority. The CISO must present themselves to C-level executives as a businessperson first andtechnologist second. Leading with bits and bytes is a surefire way to lose the respect and interest of the C-suite. It's about establishing a new dialog with the business and exercising soft skills.If this sounds daunting or uninteresting, remember that this challenge is why CISOs get paid the big bucks. This is why the job is hard and why the job it is important. If you aren't up for the CISO job, it's ok to aspire to other leadership roles in security. It isn't all about the path to the top by any means, but the CISO role is a critical one for the success of all modern, growing, healthy companies and it requires a new skill set.