Request Demo

Being a CISO: How to Be a Business Leader in the Boardroom

down-arrow

With the rise of digital transformation initiatives in 2020, a Chief Information Security Officer’s (CISO) already stressful work environment has become even more complex. A post-pandemic world has spawned other challenges for security professionals with the rise of remote work—like ensuring data remained secure in an environment that wasn’t constantly monitored, Zoom hacks, secure API integrations, and dozens of other issues. CISOs are facing more scrutiny about security posture from the Board of Directors than ever.

CISOs needed to be on top of their game—because, in addition to those high-risk challenges, countless businesses found themselves fast-forwarding their digital transformation initiatives to adapt to the new normal. 2020 has been coined as the year of the great accelerator because initiatives put on hold were suddenly necessary to support remote work. With the lack of in-person face time and security risks, many businesses played catch up as threat models and control points changed, and they seemed always to find themselves one step behind.

Managing Expectations with the C-Suite and the Board

In the face of 2020, many C-suite executives and Board members became aware that cybersecurity programs and threat monitoring had been underfunding. Companies didn’t have a culture to reinforce current systems, which created a perfect storm of vulnerabilities like key employees being targeted with credential-stealing malware, home networks becoming prime targets, and mixing personal and work environments that blurred data repositories. Wyatt Cobb, CEO & Co-Founder of SOFTwarfare, says, “Many executives realized that it paid now or pay big later. No one wants to be the brand or that person on the front page of every newspaper talking about a breach.” This increased scrutiny only compounded a CISO’s already pressing duties and further stressed IT and cyber risk programs.

“The reality of incidents occurring is not an if—but a when,” Cobb continues, “addressing threats and risks as a C-level executive can come from a place of fear. There needs to be this sort of paradigm shift of, how are we going to manage this vs. how are we going to eliminate it?” 

But getting executives on the same page can be a challenge when a lot of cyber risk management happens ‘behind closed doors," isn’t widely discussed, and before 2020 was not represented in company culture. However, following 2020 and the volume of cyber events in the wake of remote work, we are beginning to see the organization’s security programs come under the microscope beyond the annual CISO Board presentation at the Board meeting. 

Open Discourse and Be Transparent 

A CISO does no one favors by keeping risk management strategies and vulnerabilities close to its chest. However, CISOs often view their job tenure as unstable—and at the first sign of risks that have been exposed and exploited, they would be forced to move on. But according to Gartner, the average CISO job tenure is over 35 months. This tenure is rarely cut short by a breach, but many CISOs operate like they’re one data breach away from being replaced. This negative cycle is detrimental to company culture and the C-suite as a whole, as the CISO may not feel like it is a safe environment for reporting to the board about threats and data breaches.

A study on 129 CISOs by Gartner found that only 12% of CISOs excelled in all categories as defined by Gartner's CISO Effectiveness Index. On average, CISOs tend to allocate more valuable resources and time toward “tactical” activities than they would like. Top-performing CISOs report a better relationship and interaction cadence with non-IT stakeholders than bottom-performing CISOs, by three times as much. Top-performing CISOs manage stressors and fatigue more effectively than their bottom-performing peers.

To remediate this toxic mindset of replaceability, Gartner suggests organizations should identify gaps in behavior that will enable them to be more effective in their role. Delegate tactical activities to staff or other stakeholders and reallocate their time toward strategic planning and risk management. According to Gartner, immature organizations rate their CISOs on their ability to keep them safe and protected. Average-maturity organizations assess their CISOs on their ability to manage risks, and high-maturity organizations measure their CISOs on their ability to deliver value and impact the bottom line. So it comes down to CISOs setting their companies up for success and vice versa, so they can all rise together and proactively manage risk.

Establish a Narrative

It is hard to put a tangible, measurable return on security investment for cybersecurity posture, integrated risk management, or risk assessment. For many higher-level executives, these problems will not pop up on their desk multiple times a day, demanding attention. Instead, if the job is being done correctly, it may never pop up. The ‘invisibility’ of risks becomes an issue when going over budgets and business processes. C-level executives may wonder why there has been so much investment in these areas when there isn’t anything to ‘show’ for it.

Security strategy can be thought through, though, whether you’re a CISO, a high-level network engineer, or a CEO. Understanding where vulnerabilities exist and then intelligently processing those based on levels of criticality has been a strong approach for decades. It’s just a matter of getting all involved in the invested success of vulnerability management.  

One way to mitigate these challenges is by establishing a narrative and demonstrating a supply value chain to align IT and business objectives. By showing the board the value added to the whole company through risk management at every step of the process, there’s a demonstration of return on investment and underlining of the importance of ensuring all data stays safe in the supply value chain.

Focus on the Future

A CISO’s responsibilities will only continue to grow as the world expands into digital transformation, and so will the pressure CISOs face daily. However, with a plan in place and a mature risk strategy, it’s possible to be prepared for the ever-present threat of data breaches.

To better understand how to be a business leader in the boardroom, check out our webinar here. To learn more about integrated risk management solutions, contact us. 

You may also like

CyberStrong's Cybersecurity ...
on November 29, 2022

With an increasing interest in cyber as a business function, security teams and non-technical leaders must be informed of the progress of both business and security. This will ...

CyberStrong’s Cybersecurity ...
on November 25, 2022

With an increasing interest in cyber as a business function, it is vital that non-technical leaders are tuned into the cyber posture of their organization. Non-technical ...

CyberStrong's Assessment Dashboard ...
on November 23, 2022

With an increasing interest in cyber as a business function, it is vital that non-technical leaders are tuned into the cyber posture of their organization. Data visualizations ...

CyberStrong’s Cybersecurity ...
on November 21, 2022

CyberStrong dashboards allow security professionals to aggregate and consolidate data into useful, presentable, easy-to-understand images that visualize cybersecurity posture in ...

The End of the Cyber Silo: Why ...
on November 7, 2022

Cybersecurity is an evolving topic of interest. Only a couple of decades back, the title of Chief Information Security Officer (CISO) did not even exist. What cybersecurity was ...

7 Reasons You Need a NIST Incident ...
on November 10, 2022

A well-defined and robust incident response plan can dramatically minimize the damage to a company when disaster strikes. A practical incident response approach helps distribute ...