Leading an effective information security capability
With all the press and concern about cyber at all levels of the organization, with the regulators, and among the public, it is a worthwhile exercise to consider what this should mean for the Chief Information Security Officer (CISO) or equivalent.
Some point to the need to elevate the position of CISO to report directly to a senior executive, even to the CEO.
Elevating the position, in my opinion, will not necessarily do more than elevate the voice of cyber in the executive suite. It won’t necessarily drive the resources necessary for an effective cyber program, nor will it necessarily change the minds and attitudes of people from the executives on down.
In fact, elevating the position carries the risk that the CISO will get caught up in organizational politics instead of focusing on cyber risk itself.
Deloitte tackles this and other opportunities in a new piece, The new CISO: Leading the strategic security organization.
Of course, they are using words intended to induce people to read: ‘new’ and ‘strategic’. I think we can easily disregard them and focus on the problem at hand.
First, let’s acknowledge that the role of the CISO (or other individual responsible for information security) should never be considered as simply a compliance function.
Deloitte talks about “the imperative to move beyond the role of compliance monitors and enforcers to integrate better with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise”.
But even when I had information security reporting to me 30 years ago, it was about protecting the organization and not just about compliance.
It is foolish to believe that executives or the board will invest if the only return is compliance. Yes, it is necessary but a compliance function will never receive the attention of a function that contributes to the success of the organization. Executives will commit resources to the level they think prudent, but not necessarily what it will take to enable success – because they don’t understand how cyber relates to their personal and corporate success.
If they don’t know that it matters to success, it won’t matter to them.
The successful CISO helps everybody appreciate how cyber contributes to and enables success.
Buried in the Deloitte material are two sections of great importance:
- While the CISO may think in terms of reducing risks, business leaders take risks every day, whether introducing an existing product to a new market, taking on an external partner to pursue a new line of business, or engaging in a merger or acquisition. In fact, the ability to accept more risk can increase business opportunities, while ruling it out may lead to their loss. From this perspective, the role of the CISO becomes one of helping leadership and employees be aware of and understand cyber risks, and equipping them to make decisions based on that understanding. In some cases, the organization’s innovation agenda may necessitate a more lenient view of security controls.
- …… CISOs [need] to pivot the conversation—both in terms of their mind-set as well as language—from security and compliance to focus more on risk strategy and management. Going beyond the negative aspect of how much damage or loss can result from risk, CISOs need to understand risk in terms of its potential to positively affect competitive advantage, business growth, and revenue expansion.
These are, in my opinion, the keys to an effective cyber program.
If the CISO is going to influence not only the resources he or she is given but the attitude and actions of the organization, it is necessary not only to understand how the business is run, but to talk to executives in the language of the business.
Talk about how the achievement of objectives may be affected by a cyber breach. Talking about specific objectives is the best way to influence hearts and minds.
Help executives make intelligent decisions when it is appropriate to accept a cyber risk to reap a business reward.
Talk business risk, not technobabble.
Do you agree?
Are there other points of value in the Deloitte paper?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Good article. Cyber-security is dominated by worries about the downside with little attention to the opportunities. This plays into the hands or those with an inclination to control without regard to the side-effects.
Norman, as always, you are so right! CISO’s all around the world are looking for better technologies, more resource allocation and mainly gain some respect from their business side peers. Protecting is not enough, we (tech side) need to enable better business.
I urge technical managers not just to protect existing processes, but also to show management how they can run more processes, new processes and improved processes. Not just to follow the business, but, as much as possible, lead more opportunities to tun existing and even new business.
That’s the true way to gain respect and resources.
The CISO has a big challenge. He/she is always in war, in a defensive role, to keep the hackers and cybers criminals out. He can only accept the introduction of new technologies, websites, etc., at the perimeter of the organisation when he/she knows it is secure. The agressive sales persons don’t care. They want their new website now and not tomorrow. Security is no issue to them. Many examples how much damange this can cause. This pushes the CISO in a defensive role so that people even like him less.
To tell him he should help introduce new technologies doesn’t help because the creators of new technologies don’t help him either. Security specialists now that peoples don’t learn from the past and this applies to technology as well. Despite SANS, OWASP, etc., the new technologies come with know errors like buffer overflows and underruns, etc.. So he will prefer proven technologie.