Leading an effective information security capability
With all the press and concern about cyber at all levels of the organization, with the regulators, and among the public, it is a worthwhile exercise to consider what this should mean for the Chief Information Security Officer (CISO) or equivalent.
Some point to the need to elevate the position of CISO to report directly to a senior executive, even to the CEO.
Elevating the position, in my opinion, will not necessarily do more than elevate the voice of cyber in the executive suite. It won’t necessarily drive the resources necessary for an effective cyber program, nor will it necessarily change the minds and attitudes of people from the executives on down.
In fact, elevating the position carries the risk that the CISO will get caught up in organizational politics instead of focusing on cyber risk itself.
Deloitte tackles this and other opportunities in a new piece, The new CISO: Leading the strategic security organization.
Of course, they are using words intended to induce people to read: ‘new’ and ‘strategic’. I think we can easily disregard them and focus on the problem at hand.
First, let’s acknowledge that the role of the CISO (or other individual responsible for information security) should never be considered as simply a compliance function.
Deloitte talks about “the imperative to move beyond the role of compliance monitors and enforcers to integrate better with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise”.
But even when I had information security reporting to me 30 years ago, it was about protecting the organization and not just about compliance.
It is foolish to believe that executives or the board will invest if the only return is compliance. Yes, it is necessary but a compliance function will never receive the attention of a function that contributes to the success of the organization. Executives will commit resources to the level they think prudent, but not necessarily what it will take to enable success – because they don’t understand how cyber relates to their personal and corporate success.
If they don’t know that it matters to success, it won’t matter to them.
The successful CISO helps everybody appreciate how cyber contributes to and enables success.
Buried in the Deloitte material are two sections of great importance:
- While the CISO may think in terms of reducing risks, business leaders take risks every day, whether introducing an existing product to a new market, taking on an external partner to pursue a new line of business, or engaging in a merger or acquisition. In fact, the ability to accept more risk can increase business opportunities, while ruling it out may lead to their loss. From this perspective, the role of the CISO becomes one of helping leadership and employees be aware of and understand cyber risks, and equipping them to make decisions based on that understanding. In some cases, the organization’s innovation agenda may necessitate a more lenient view of security controls.
- …… CISOs [need] to pivot the conversation—both in terms of their mind-set as well as language—from security and compliance to focus more on risk strategy and management. Going beyond the negative aspect of how much damage or loss can result from risk, CISOs need to understand risk in terms of its potential to positively affect competitive advantage, business growth, and revenue expansion.
These are, in my opinion, the keys to an effective cyber program.
If the CISO is going to influence not only the resources he or she is given but the attitude and actions of the organization, it is necessary not only to understand how the business is run, but to talk to executives in the language of the business.
Talk about how the achievement of objectives may be affected by a cyber breach. Talking about specific objectives is the best way to influence hearts and minds.
Help executives make intelligent decisions when it is appropriate to accept a cyber risk to reap a business reward.
Talk business risk, not technobabble.
Do you agree?
Are there other points of value in the Deloitte paper?