<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Being a CISO in 2021: How to Be a Business Leader in the Boardroom

down-arrow

With the rise of digital transformation initiatives in 2020, a Chief Information Security Officer’s (CISO) already stressful work environment has become even more complex. A post-pandemic world has spawned other challenges for security professionals with the rise of remote work—like making sure data remained secure in an environment that wasn’t constantly monitored, Zoom hacks, secure API integrations, and dozens of other issues. CISO’s are facing more scrutiny about security posture from the Board of Directors than ever.

CISO’s needed to be on the top of their game—because, in addition to those high-risk challenges, countless businesses found themselves fast-forwarding their digital transformation initiatives to adapt to the new normal. 2020 has been coined as the year of the great accelerator because initiatives that had been put on hold were now suddenly necessary to support remote work. With the lack of in-person face time, combined with security risks, many businesses were playing catch up as threat models and control points changed, and they seemed always to find themselves one step behind.

Managing Expectations with the C-Suite and the Board

In the face of 2020, many C-suite executives and Board members became aware that there had been an underfunding of cybersecurity programs and threat monitoring. Companies didn’t have a culture to reinforce current systems, which created a perfect storm of vulnerabilities like key employees being targeted with credential-stealing malware, home networks becoming prime targets, and the mixing of personal and work environments that blurred data repositories. Wyatt Cobb, CEO & Co-Founder of SOFTwarfare, says, “Many executives realized that it was pay now or pay big later. No one wants to be the brand or that person on the front page of every newspaper talking about a breach.” This increased scrutiny only compounded a CISO’s already pressing duties and further stressed IT and cyber risk programs.

“The reality of incidents occurring is not an if—but a when,” Cobb continues, “addressing threats and risks as a C-level executive can come from a place of fear. There needs to be this sort of paradigm shift of, how are we going to manage this vs. how are we going to eliminate it?” 

But getting executives on the same page can be a challenge when a lot of cyber risk management happens ‘behind closed doors’ and isn’t widely discussed and before 2020 was not represented in company culture. However, following 2020 and the volume of cyber events in the wake of remote work, we are beginning to see the organization’s security programs come under the microscope beyond the annual CISO Board presentation at the Board meeting. 

Open Discourse and Be Transparent 

A CISO does no one favors by keeping risk management strategies and vulnerabilities close to their chest. However, CISO’s often view their job tenure as unstable—and at the first sign of risks that have been exposed and exploited, they would be forced to move on. But according to Gartner, the average CISO job tenure is over 35 months. This tenure is rarely cut short by a breach, but many CISO’s operate like they’re one data breach away from being replaced. This negative cycle is detrimental to company culture and the C-suite as a whole, as the CISO may not feel like it is a safe environment for reporting to the board about threats and data breaches.

A study on 129 CISO’s by Gartner found that only 12% of CISOs excelled in all categories as defined by Gartner's CISO Effectiveness Index. On average, CISOs tend to allocate more valuable resources and time toward “tactical” activities than they would like. Top-performing CISOs report a better relationship and interaction cadence with non-IT stakeholders than bottom-performing CISOs, by three times as much. Top-performing CISOs manage stressors and fatigue more effectively than their bottom-performing peers.

To remediate this toxic mindset of replaceability, Gartner suggests organizations should identify gaps in behavior that will enable them to be more effective in their role. Delegate tactical activities to staff or other stakeholders and reallocate their time toward strategic planning and risk management. According to Gartner, immature organizations rate their CISOs on their ability to keep them safe and protected. Average maturity organizations assess their CISOs on their ability to manage risks, and high maturity organizations measure their CISOs on their ability to deliver value and impact the bottom line. So it comes down to CISO’s setting their companies up for success and vice versa, so they can all rise together and proactively manage risk.

Establish a Narrative

It is hard to put a tangible, measurable return on security investment for cybersecurity posture, integrated risk management, or risk assessment. For many higher-level executives, these are not the sorts of problems that will pop up on their desk multiple times a day, demanding attention. Instead, if the job is being done correctly, it may never pop up. The ‘invisibility’ of risks becomes an issue when going over budgets and business processes. C-level executives may wonder why there has been so much investment in these areas when there isn’t anything to ‘show’ for it.

Security strategy can be thought through, though, whether you’re a CISO, a high-level network engineer, or a CEO. Understanding where vulnerabilities exist and then intelligently processing those based on levels of criticality has been a strong approach for decades. It’s just a matter of getting all involved in the invested success of vulnerability management.  

One way to mitigate these challenges is by establishing a narrative and demonstrating a supply value chain to align IT and business objectives. By showing the board the value added to the whole company through risk management at every step of the process, there’s a demonstration of return on investment as well as an underlining of the importance of making sure all data stays safe in the supply value chain.

Focus on the Future

A CISO’s responsibilities will only continue to grow as the world expands into digital transformation, and so will the pressure CISO’s face daily. However, with a plan in place and a mature risk strategy, it’s possible to be prepared for the ever-present threat of data breach.

To better understand how to be a business leader in the boardroom, check out our webinar here. To learn more about integrated risk management solutions, contact us. 

You may also like

New Gartner Report Identifies ...
on September 15, 2021

With a variety of risks growing out of the pandemic, cybersecurity control failures was listed as the top executive concern during Q1 2021. According to the Gartner Emerging Risks ...

Why IOT in the Commercial ...
on September 14, 2021

Every month there seems to be a new device that changes the way we travel, communicate, conduct business, and live our personal lives. The transformation promises efficiency and ...

Why the Chemical Sector is ...
on September 1, 2021

The chemical sector encompasses more than 70,000 diverse products that are critical to the modern global infrastructure. Several thousand chemical facilities ship, manufacture, ...

Kyndall Elliott
What Does the Future of Risk ...
on August 31, 2021

Cyber risk is the top concern for water and wastewater systems. With government intelligence confirming cyber attacks staged by Russia and Iran, utilities need strong risk ...

What Threatens Other Critical ...
on August 24, 2021

Everyone knows that one person that likes to say that they’re not addicted to their phone. In 2021, it’s difficult to find a way to socialize, work, access vital services, and be ...

Is the Energy Sector Paving the ...
on August 13, 2021

It’s difficult to imagine a day in which the products and services we use are not connected back to the energy sector. How we heat or cool our homes to how we remotely work are ...