Two Roles of a CISO
The dual roles of the CISO are pivotal to a strong security programBy: David Puzas
You might not think of technical experts as the best communicators, but the fact is that anyone who’s in the role of CISO must be an excellent communicator. In addition to being well-versed in networking and cybersecurity, CISOs need to be skilled in business and influencing others. CISOs need to work with C-level executives, board members and IT teams so they all understand how IT security, or lack thereof, affects the business. In a good work environment, the CISO should have a seat at the leadership table and be involved in all decisions regarding IT to present the possible risks and costs associated with current and possible future technologies.
CISOs should be able speak the language of their peers and stakeholders. It’s appropriate to use technical language when working with IT and security teams, but business counterparts need to be presented with facts in business terms, such as statistics or recent news stories to help them understand the consequences of not providing adequate security. Fear, uncertainty and doubt, does not work to persuade businesses to take action. Facts, costs, resources, and likely outcomes are more persuasive with business leaders. Businesses need to understand that all networks have vulnerabilities and that important data exists throughout the network. Until a company knows where all important data lie and what vulnerabilities surround them, the data cannot be protected. Many executives think security devices protect organizations from threats, so the CISO must explain that those devices are simply machines that need the right people to properly manage them and to respond to alerts, and that it takes more than just machines: smart security also requires a mix of security experts and analysts.
Executives need to understand that the CISOs job is to explain the risk and cost of any proposed business decisions regarding IT, to see the big picture of the organization, and to align with its goals while presenting in-depth knowledge of the security environment so the company can mitigate risk. It is up to executives and board members to make certain security is in place and that everyone throughout the organization understands that security must be part of everyone’s job.
Cybersecurity should not revolve around constantly responding to attacks after the fact; it should be a forethought for virtually every decision the company makes. This is why it is important the CISO have a seat at the executive table to research and present risks that go with each new change to the network, whether it be around mobile, social, wireless, cloud computing or anything else that may be part of the network.
Ideally CISOs’ main function is to ensure technology is set in place with the least risk, but since they don’t control all corporate business decisions, it’s up to other C-suite leaders to listen to their recommendations and allocate the resources needed to secure the network. A company’s board of directors and CEO should work with their organization’s CISO to gather the right data to help them make informed decisions regarding IT security.