Security Strategy, Plan, Budget

Five ways CISOs can succeed 

OT strategies

As the cyber threat landscape has evolved, so too has the role of the modern chief information security officer. Gone are the days of the siloed CISO who operated from an ivory tower without a seat at the boardroom table for major organizational decisions. Today, as digital transformation expands and business demands intensify, the modern CISO role has shifted from purely tactical to fully transformational: the cyber quarterback of the organization who aligns strategic planning, policy, and processes within a value-centric security architecture designed to mitigate cyber and business risk.

Protecting an organization from cyber threats no longer falls on the CISO’s shoulders alone. It’s a collective responsibility spanning across the entire organization, starting at the top with corporate leadership and extending down to every level of the enterprise. Gartner forecasts indicate that by 2026, more than 50% of C-level executives will have performance requirements related to cyber risk within their employment contracts. Expected new SEC regulations will also mandate publicly-traded organizations to disclose their cybersecurity governance efforts, particularly the board’s oversight of cyber risk within its larger business strategy. Now more than ever, positioning CISOs to serve in the capacity of a transformational leader has become critical to the enterprise’s health.

Make cybersecurity a business priority 

The transformational CISO has become the bridge between cybersecurity and the C-Suite. They must effectively articulate the link between cyber incidents and business disruption in a way that resonates with various stakeholders of the organization. This requires a holistic understanding of cyber risk’s three fundamental tenets: threats, vulnerabilities, and impact.  For CISOs to address these three areas effectively, they need to keep the following areas of focus in mind:

  • Choose the right framework. Select an industry recognized framework that aligns with the organization’s risk profile, and also demystifies cybersecurity measures to the C-Suite and board. The NIST Cybersecurity Framework helps simplify the complexities of security in a way that business leaders can more easily digest.
  • Measure the organization’s maturity. It’s not enough to simply adopt and leverage a security framework. As the company implements its various controls, make sure to baseline and measure the maturity of the organization’s top security capabilities. That way, it’s possible to monitor progress over time.
  • Benchmark against industry peers. Make the organization’s level of cyber spend relative to its risk profile. But as maturity improves, identify how the organization’s security architecture performs in relation to the sector at large – that can help determine if the organization spends too much or too little.
  • Set an optimal target. Organizations on the high end of the maturity spectrum may decide to compare themselves to a more mature industry as a stretch goal. But even if the company stays within its industry for comparison purposes, set a maturity goal that’s always based on a deep understanding of business risk.
  • Continuously measure effectiveness. Even with a well-defined framework, maturity model, benchmark, and goal in mind, one important question remains: does the organization use its limited resources effectively? As organizations deploy, maintain, and operate their security program, make continuous measurements and assessments a non-negotiable item. 

Today’s transformational CISOs are also responsible for fostering a companywide culture of cyber resilience where all employees play a role in safeguarding the organization. However, they can’t achieve this level of collaboration through static engagement and one-size-fits-all training that lack contextual awareness. It compares quite nicely to the challenges of parenting a teenager. Just because we know what’s best for our kids doesn’t mean they will always do what we tell them. But if we can effectively illustrate the value behind our advice – and that we’re offering it with their best interest in mind – there’s a far better chance it will translate to positive action.  

The same goes for CISOs tasked with building a culture of cyber resilience. We can’t expect standard sets of policies or routine training to automatically translate into 100% staffwide security compliance. For internal engagement to resonate, CISOs have to scale it to the individual end user and design it with personalization in mind – offering valid reasoning that a non-technical workforce can understand.

When given a paved road of proven protocols to follow, employees will agree to follow protocols and keep the organization safe. Compounded at a macro level, it creates a dynamic where security awareness becomes ingrained into day-to-day workflows as part of an overarching company culture. By defining targets and benchmarks and creating a culture of cyber resilience that everyone in the organizations agrees on, CISOs can prevent burnout and help their organizations succeed in the face of the ever-expanding threat landscape.

Frank Kim, SANS Fellow and Instructor; CISO-in-Residence, YL Ventures

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.