The average tenure of a CISO? A little over two years. While it may seem like CEOs and their security leaders end up as the scapegoats of breaches and botched responses (ahem, Equifax), the reality is that CISOs have a job that’s hard to do well. Many CISOs are held responsible for the security of technology they do not control, or initiatives they are unaware of until the eleventh hour.
While CISOs have a difficult job, the fault may not be fully in the stars. CISOs can make their job easier on themselves by avoiding common mistakes. Here are some of the common pitfalls security executives fall into:
1. Talk to the C-Suite in technical terms and jargon
You’re the expert. You know that security is of the utmost importance to your organization. Maybe you’ve even used recent breaches to highlight the potential fallout if a similar event were to occur at your company. But your audience, the C-suite and board, are not experts; they want the bottom line. Don’t confuse your audience by talking about the latest network monitoring solutions and statistics. Cyber is an enterprise risk and senior executives care about how those risks can impact the business. And you should care about that too. Spend some time tailoring the way you talk about cybersecurity to your audience and it will go a long way.
2. Only tell the good news stories and none of the bad
Everyone will be quite happy with charts and metrics that show how well you’re implementing your cybersecurity strategy and controls… until they’re not. No one in your organization will be successful if you’re not willing to have a frank and transparent conversation about the cyber threats that are likely to most impact your business. Plus all business executives, business line leaders, and the security team must have a common understanding of the vulnerabilities in your business that create opportunities for a cybersecurity incident. If you’re willing to talk about the areas that need improvement in a professional and solutions-oriented way, then you’ll likely get a lot more support from the executive team as a result.
3. Assume 3rd party providers will effectively handle your security
Think of all the different companies, vendors, and suppliers your company relies on to do what it does best. In order to take advantage of the efficiencies of the supply chain, external vendors, and partners are often given access to certain internal systems. But how often and how vigorously are you screening third parties for proper security protocols? Though you are investing significant resources to ensure your cybersecurity needs are met, your investment may actually be having the opposite effect. Third parties can introduce significant risk, enabling threat actors to bypass security procedures. As part of your security measures, you need to make sure your supply chain has (at least) the same security requirements as your organization.
4. Think every aspect of security is equally important
If everything is important, then nothing is. If you’re not able to identify and prioritize the real risks to your organization’s business, then you won’t be able to implement an effective strategy or related controls. If you categorize every risk as ‘high’, then the truly important actions items may not get the attention they deserve…and you’ll lose your credibility if you’re pouring budget into too many things that aren’t really showing results. Don’t let the actual big stuff get lost in the noise.
5. Expect technology to solve all of your problems
It’s true that automation and technologies are helping the security industry make tremendous strides. But while artificial intelligence and automation are allowing CISOs to look through more data and do faster analysis, you still need to accept there are limitations. Don’t fall into the trap that an out-of-the-box or one-size-fits-all approach is going to work for your business. With all the increased visibility of a technology-driven security approach, it becomes even more critical that you invest in the right people with the right skills to sift through, analyze, and make that data actionable.
6. Position security as unrelated to business growth
It’s easy to slip into the corporate culture that reinforces security more as an afterthought rather than a strategic initiative. This is particularly apparent in high-growth companies and technology start-ups, although it’s common in mid-sized and large businesses as well. Not only is it your responsibility to advocate for security by design across the entire organization but also find ways to communicate that responsibility in a way that corresponds with the desire for business growth. Think about and weigh the costs, benefits, and payoffs of the security controls needed at each stage of the business; they’ll be very different if you’re in a small start-up scraping by to survive versus a large established business. Everyone needs to be aware that cybersecurity has to evolve as the company evolves, but it’s easier if you start out on the right foot.
7. Come from a place of “No”
You’ve heard it a million times: no one likes the lawyers, they’re just seen as a hindrance to progress. In addition to understanding how security can actually help enable business growth, think about the way you work with other business units to make them successful. We get it. No CISO appreciates “shadow IT” but it happens. Your first reaction might be to say no to things that seem risky but make sure you communicate often with your counterparts in other business units. If you have a clearer understanding of what goals they’re trying to achieve then you may be able to help them get to the right place without sounding like a set of screeching brakes.
A CISO’s job isn’t going to get easier anytime soon, but if you only take away one thing from the above list, it’s this: success on all these fronts is contingent on strong communication. There are a lot of stakeholders you need to get on board to make your security strategy effective, from the boardroom on down. The truth is cybersecurity is a business enabler. You just have to start creating, implementing, and communicating your strategy like the enabler it is.
Need Help Polishing Your Boardroom Skills?
Do you need assistance in educating your own board or getting on the same page with your executive leadership? Let N2K help. Learn more about Cyber Resolve, N2K’s training programs geared at providing cyber risk education specifically to board and executive leaders, and how we work with CISOs to tailor and align the training to an organization’s specific cybersecurity strategy.