The CISO position has come a long way from the relative obscurity of being somewhat deeply embedded as security directors within the IT engineering or operations teams, rising to the prominence of a quasi-member of the C-Suite. The exponential increase in cyber threats in the past decade has made cyber risk by far the largest risk facing our firms and even our nation. With the potential for catastrophic loss of business and reputation and the cost burdens of regulatory fines and penalties, cyber threats now have become an existential risk to the very survival of many public/private sector firms across every known domain or business type.
CISOs and their security teams implement zero-trust layered defenses and make round-the-clock efforts to protect their firms from impending cyberattacks. In spite of this good work, most CISOs are still not members of company executive committees, nor do they typically sit on company boards. For CISOs to become recognized as contributing executive leaders and for them to get their fair share of recognition and rewards and a real seat at the executive table, they need to change the narrative about their work and the cybersecurity value proposition. Here are some ideas for what CISOs can do moving forward:
- Talk about the good before the bad.
Today, wherever there are large platforms for news and information about cyber security—articles in the major newspapers, or panels and speeches at security conferences—the focus of conversations about cybersecurity almost always centers around all the bad news. We see constant talk about ransomware attacks and other advanced malware, data exfiltration events, unauthorized access, privacy violations, and regulatory fines. While there’s a place for this type of news to alert the public to these grim realities, CISOs must also take a leadership role in cultivating public narratives of their successes in protecting their respective firms from many sophisticated threat actors and advanced persistent threat. The conversation needs to change to reflect the good work done by security team and how effective they are every day. Yes, a few firms are getting hacked, but there are thousands that are adequately and vigorously protected by their security teams. CISOs need to harness the public narrative by writing op-ed letters in prominent newspapers and social media platforms and encourage their company PR departments to write press releases that highlight and celebrate the good news rather than constantly talking about the losses incurred from cyberattacks. A fuller discussion of the CISO successes offers a better depiction of reality than what’s prevalent in the mindset of the public right now.
- Take a leadership role in aiding the business.
Right now, cybersecurity teams are often narrowly regarded as corporate cost centers, in a role limited to performing cybersecurity incident response, engineering, operations and security risk management. CISOs can change this narrative of cybersecurity as a cost burden by promoting cybersecurity as an essential revenue generator. CISOs can pursue many paths to become leading players in the creation of new revenue streams. They can become engaged in product and services development in both cybersecurity and IT work streams, actively participate in the RFI/RFP process to win new business for their firms, and offer essential security perspectives for sound merger and acquisition decisions. Finally, CISOs must engage with the business leaders to make them aware that security can and should hold an important role as generators of business and revenue and highlight the narrative that the CISOs and their security teams are business enablers and not just cost centers with operational responsibilities.
- Offer expert advice on regulatory compliance and engagement.
Given that cyber risk now predominates all other forms of risk, regulators now closely scrutinize the cyber security controls companies use to protect client/customer data. CISOs must familiarize themselves with a wide array of security and privacy centric regulations and the security guidance mandated by other regulatory agencies, such as the Security and Exchange Commission. Only then can they ensure that all the necessary security controls are in place to comply with government mandates and regulations. CISOs must also take initiative to establish a two-way communication channel with regulatory agencies to offer feedback on new regulations and establish trust.
- Establish relationships with federal security agencies.
To share active threat intelligence and establish a shared defense, CISOs must also establish good relationships with the federal security agencies like the Cybersecurity and Infrastructure Security Agency, the FBI, and the United States Secret Service. In this high cyber threat landscape and the potentially existential threat to our businesses, the CISO should become the member of the C-Suite who actively manages and fosters relationships with the federal government rather than the legacy corporate government relationship departments of the past.
By following these recommendations, the CISOs would become more fluent in understanding, aligning and supporting business objectives to stay relevant, and stop being viewed as a hindrance. These ideas will also go a long way in aiding our collective digital transformation journeys.
Raj Badhwar, senior vice president and CISO, Voya Financial