The days of managing from the shadows are long gone for the CISO. As technology needs, reach, and partnerships of businesses evolve rapidly, the CISO can no longer remain unseen. Today’s CISO is more than an advisor to the C-suite with 88% of boards of directors viewing cybersecurity as a business risk. The role for the CISO has expanded to encompass advising the entire business and employees on how they can help ensure data security starting now.
Finding balance between IT Security and the C-suite
Businesses themselves are expanding their remote working capabilities, partnering with more vendors on enterprise and customer tools, and confronting broader and higher-profile data breaches than ever. But if the CISO is treated like a constant source of bad news for the C-suite, the business will only create more problems for itself. The challenge is that in order to best serve the company, CISOs need to understand how to communicate the risk, and the value of reducing risk, to an executive team that may not have deep technical knowledge on the issues. Good security requires buy-in throughout the business, and that has to start at the top. With the help of the CISO and CIO, the executive team needs to prioritize and invest in security policies, procedures, resources and training across the organization.
The contemporary CISO must understand how to educate the team on what makes a sound technical security decision, and why. That requires interpersonal skills, and an understanding of the particular culture and structure of the business: What information does the CISO need to communicate to which stakeholders under what circumstances? What motivates those stakeholders in their own roles? And how can you assure stakeholders you want them to succeed versus introducing obstacles? The business’s goals may at times seem to conflict with the strongest security practices, so the bottom-line value in dollars of implementing stronger security must be clear to all.
Ultimately, security risk means business risk – so security risks should be communicated considering their effects on the organization holistically, to decision-makers at the highest level. CISOs need to “walk the executive tightrope,” use their persuasive skills, adapt the message for each relevant function of the business – and foster trust both with and among business leadership. While a number of businesses have security expertise at the executive level – 61% of businesses overall do, and 80% of enterprise businesses – that person isn’t positioned in the same place in every business. Wherever the CISO or top security personnel sits, it’s important to foster trust and collaborate within IT, as well as across the entire business, to agree upon levels of risk and enable strong business outcomes.
Managing external vendors to evaluate risk
The CISO’s responsibilities are not limited to the business’s internal functions – especially not at a time when the line between internal and external can seem increasingly blurry. Enabling remote work means implementing tools that enable remote communication and collaboration. Those tools are often provided by third-party vendors – each of which could potentially pose a security risk. This shift in how and where work is done has prompted businesses to re-evaluate how their partners use their employees’ and customers’ data, and spurred CISOs to identify possible security gaps in those partnerships. To suggest and implement solutions for those gaps, the CISO and business leadership must work together to approach and solve problems with third-party vendors. It is a best practice to ensure that contracts with vendors include expectations around security requirements and have SLAs (service-level agreements) for those requirements, including ongoing posture monitoring, regulatory compliance, and risk remediation as needed.
The CISO and business leadership need to ask about their vendors’ security protocols and tools, look at vendors’ history of security incidents, and understand who their own subcontractors are (and how they’re using the business’s data). The legal team needs to be involved in these discussions, and technical teams must assess whether they have more customer and employee data than the vendor really needs. Minimizing flow of data and information helps minimize risks.
The CISO role is evolving to more freedoms
Over time, businesses are certainly not going to become less reliant on in-house and third-party technology. New technological tools will emerge and be adopted, while cybercriminals develop more advanced attacks preying on security gaps along the business’ whole supply chain. CISOs need to continue learning and advocating for the best solutions in tandem with this growing tech complexity. Considering all that, we should expect that the CISO’s role will continue moving closer to the executive level, and closer to the core of business operations. Business leadership needs to consider how the CISO functions as a business enabler – because, in the end, security enables business. The CISO’s leadership role will need to extend beyond getting executives on board with security-enhancing initiatives, and to also oversee educating the business’s employee base at large. Indeed, the willingness to work and grow with security in mind – without drawing teams away from their core functions – must come from the top and the bottom of the business alike.
The CISO’s role has long touched upon a range of functions, and it’s coming to touch upon more and more over time. Network security protocol and policy, compliance and governance, security on connected devices, access to networks, privacy, physical security – if today’s CISO is not involved in those tasks, tomorrow’s will. And today’s CISO must prepare to step out from behind the curtain and evangelize for security within the company and with the business’ ecosystem.