The relationship between CISOs and the C-Suite continues to evolve. While some CISOs have earned a seat at the leadership table, many InfoSec leaders still need to prove their value even though cyber risk may be the greatest risk facing an organization.
So what’s a CISO to do? Let’s review our Top 5 Tips for Meaningful C-Suite Engagement, which are designed to empower CISOs with strategies and techniques to highlight and describe their value propositions and effectively communicate cyber-related issues across the executive suite.
1. Learn how to look at cyber risk through your organization’s business lens.
Cyber risk is one of the most critical risks facing an organization. It crosses all business functions and therefore impacts all members of the C-Suite, but the powerful and thoughtful CISO must view cyber through the lens of the business. The CISO can’t silo his or her views purely from the information security perspective but rather understand the business’ priorities. The best advice for CISOs in this category is to be present and active in the management strategy meetings, listen to the needs of the business leaders, and understand all aspects of the quarterly forecasts. A CISO in a silo may be just as dangerous as an organization without any CISO at all.
2. Share “translations” of security news articles that help decode security incidents and frame them in business terms for your C-suite.
As the subject matter expert, the CISO should be responsible and proactive in sharing security news across the C-Suite. If there is a topic in the news, the latest breach, or a new regulation, then the CISO should share that information and translate it by framing the information from the lens of his or her business. When there is a breach in the news, business leaders will want to know about how that same situation could impact them and whether their organization is better prepared. Further, business leaders will have the same questions as anyone else about whether they should use a password manager, how to best protect their personal data, and how best to protect their kids’ privacy on their home networks.
3. Influence and educate the influencers.
Understand who the influencers are in your C-Suite. The successful CISO will build consensus and influence with every leader. How? Take an interest in each member of the C-Suite and learn to translate cyber from each one’s perspective. Spend time with the COO and ensure he or she is preparing for the worst, talk M&A with the CFO, think about what will make the CMO fully understand the value of data and how to best protect it. The entire leadership team needs to understand cyber risk as an enterprise risk and the CISO can build influence and consensus one leader at a time.
4. Don’t be emotional or exaggerative.
The leadership team depends on the CISO for facts and to put the organization’s cyber risk in perspective – your company’s perspective. As a leading CISO, you need to use real numbers, the right level of specificity, and share your risk judgment in terms of its probability. This is where scorecards and industry benchmarking analysis really matter and why you need to share them frequently with your C-suite.
5. Be clear when engagements are informational versus decision-oriented.
It’s clear that all CISOs have depth and breadth of information security knowledge from the threat landscape to the tools and techniques required to protect the infrastructure as well as the crown jewels of an organization but the leading CISOs will also have the ability to manage expectations. What kind of meeting is this? Does the team need to learn something or make a decision? You, as the CISO, have the best perspective on analyzing and mitigating cyber risk to ensure your team knows when they need to be prepared to listen versus when they need to make a decision and act. If the C-Suite has the right information and understands the information, then they will understand how to act when faced with a cyber situation. To help make cyber risk more real, breach simulations should be practiced with the leadership team at least annually.
Cyber risk is no longer an IT issue but rather an enterprise risk. The leading CISO can earn a seat at the leadership table by giving his or her fellow business leaders the confidence to make decisions about cyber risk. Let CyberVista help your leadership better understand cyber risk through our custom Cyber Resolve Board and Executive training. Learn more at cybervista.net.