“Digital transformation may come in many forms, but the result is always the same - organizational change.” Rick Lemieux, CRO of itSM solutions, began our conversation with CyberSaint CRO, Jerry Layden, with the crux of what has become a beleaguered buzzword. The result of many digitization initiatives is, as Rick pointed out, a fundamental shift in processes and culture. Another product of these initiatives is the elevation of the role of the CISO - shifting from a reactionary position in the wake of a breach, a CISO becomes a critical contributor to strategy and development for the entire organization.
What CISO’s today are finding, with the democratization of technology adoption across the enterprise, is the need for not just endpoint tools to secure the organization - it is a risk-focused culture that will best help secure the organization. Search “how to change organizational culture,” and you’ll find that many have tried and it is a slow-moving process. For CISO’s the goal is not to perform a 180 on company culture - it is, instead, to add a layer of knowledge. The two keys for CISO’s to change their organization’s culture in this way, as Rick and Jerry pointed out, is education and automation.
Automation to support information security teams
Jerry has a rich background in assisting organizations in adopting new technologies and, as CRO of CyberSaint, he has seen the need that cybersecurity organizations, in particular, have for automation technologies. The most significant issue that Jerry has seen with organizations not adopting technology is wasting the scarce talent they have. It’s not new news that cybersecurity positions are often left vacant for months (on average), and Jerry points out that “you lose talent when you disempower them with antiquated tech.” When already small teams are trapped in legacy GRC platforms or even worse spreadsheets the grass gets exponentially greener by the day.
Education spreads a risk-aware culture throughout the organization.
We all know that a risk-aware culture begins and ends with the education of the whole organization about cyber risks. The barrier that many CISO’s face, though, is where that starting point is. Especially for a technical CISO, the notion of soliciting buy-in and having to educate an entire organization is daunting. Rick put it best - “In the context of a risk-aware culture, it is the CISO’s responsibility to propagate that culture change given their knowledge of why things have to change.”
As CRO of itSM solutions, Rick has worked with Fortune 100 companies to educate them on the value of a risk-aware culture and facilitate these changes that are so desperately needed. In our conversation, Rick laid out a culture change framework that CISO’s can use to add the risk-awareness that is necessary for the digital age.
The Concentric Circle Framework to changing culture
In speaking to two case studies, Rick discussed how the most effective initiatives that he’s been apart of have started with a select group of evangelists and expanded from there - rippling throughout the organization. Now, every organization is different, but some trends emerge when choosing your dream team of initial stakeholders to get buy-in: Gartner discusses the critical stakeholders that CISO’s must develop relationships with to realize a risk-based vision. Specifically, the COO, the CHRO, CIO, and CMO. In Rick’s examples, these positions as first alliances prove true. In one of Rick’s case studies, he worked with a Fortune 100 entertainment company, and his point of contact was the Director of IT (who eventually became the CISO when the position was created). The IT Director knew that they needed to increase risk awareness across the organization and began soliciting buy-in from the CIO and the COO. The reason for this choice being that with the CIO’s technical understanding and the COO’s ownership of employee development and process, these two would be the IT Director’s best evangelists as the program grew. The results were stunning, once the IT Director, CIO, and COO had established the needs and goals they began expanding in concentric circles - going from three to 15 to 100 and so on until they did alter the company culture.
A culture change of any kind is daunting - it is a journey that requires patience, diligence, and constant vigilance to ensure that the new ideas remain and scale with the organization. For CISO’s working to increase cyber risk awareness at their organization, stating that you’re going to change the culture is like saying you’re going to change the direction of a river - it is possible, but you have to start small. Start with key stakeholders that will facilitate the change with you and be prepared to evangelize yourself - after all, you are the most aware of the need for this change. Changing the organization may require changes to you and your team first - both Rick and Jerry pointed out that the most significant barrier to CISO’s getting buy-in for their programs was the inability of the c-suite to understand the technical jargon that most program management tools facilitate. Instead, communicate in the language that boards and CEO’s can understand - remember, they want to understand. Ensure that together with the right alliances, the right technology can empower your team to support a risk-based culture more effectively. After all, the result of this change is the recognition that the CISO position is critical to digital business operations. This change is just the beginning.