4 Tips for Navigating the Executive Role of the Modern CISO

Missed a session at the Data Summit? View on demand here.

This article is contributed by Ashley Rose, CEO and co-founder of Living Security.

Since the inception of the position of Chief Information Security Officer (CISO), the security professionals who occupy this seat have had to walk a tightrope between the IT department, other C-suite executives and the board. CISOs responsible for handling real-time threats and mitigating cyber-attacks often find themselves stuck in the rock, trying to communicate and implement security initiatives that require the rest of the business to buy into. With one leg in security and the other in business, it’s critical that CISOs can report security gaps and ultimately gain approval for their initiatives to keep the enterprise safe. Here are three tips for navigating the increasingly executive role of the modern CISO.

Start speaking the language of the board

To effectively bridge communication gaps, CISOs must speak in terms that the board and other C-suite executives will understand. This requires examining how cybersecurity directly impacts business operations, customer relationships, the company’s reputation and ultimately bottom line. Cyber attacks are becoming more common and it really is a matter of ‘when’ rather than ‘if’ a business is affected. CISOs should use real-world examples to demonstrate how cyber incidents have resulted in shareholder losses, damage to corporate reputations, and even board-level terminations. In addition, cybersecurity initiatives must be translated into business objectives that demonstrate a return on investment through an enhanced security posture that protects business outcomes. For example, providing statistics showing how phishing penetration tests and awareness events ultimately increase efficiency and save money.

Lean into your stats

When CISOs compete for sometimes scarce resources, they must quantify security risks. Any claim must be backed up with data that demonstrates the company’s security status and where gaps could lead to a costly attack. The goal is to build the trust of the board that the right decisions are made and that no money is wasted. Metrics are self-explanatory, showing how the needle of risk moves over time and showing you how to protect the company’s value.

Use a larger network of influence

In modern enterprises, CISOs can no longer afford to live in IT silos. Interactions with other C-suite executives are critical to integrating cybersecurity initiatives across the business. If top management isn’t involved in cyber hygiene, their teams aren’t invested either. It is absolutely critical to enterprise security that every person in a company is invested in cybersecurity from the top down. Some companies are even investing in a new role, the Business Information Security Officer (BISO), to essentially act as an ambassador between the CISO and other business units. BISOs are engaged to raise the profile of cybersecurity across the organization and learn the needs of each department to offer tailor-made cybersecurity initiatives and training. While not essential, they can help realize a CISO’s ultimate vision.

Enjoy working together outside the company

Just as building relationships within the company is necessary for CISOs, so is working with suppliers and partners outside the company. In today’s increasingly digital world, organizations are only as secure as the partners they are connected to. Assess the security of the company’s most critical vendors, be clear about your cybersecurity expectations, and ensure that there are open lines of communication so you know those standards are being met.

Today’s CISOs wear multiple hats and their job is getting harder and harder. They need to speak the C-suite language while maintaining a close relationship with IT. They must navigate strategic governance discussions, while keeping the company’s tactical security initiatives at the forefront. However, if they rise to the challenge, focusing on how security initiatives deliver a return on investment, leaning on their metrics and building relationships both inside and outside the office, they can create security initiatives that really move the needle of risk.

Ashley Rose is the CEO and co-founder of Living Security, a pioneer in human risk management and a leader in security awareness training.

DataDecision makers

Welcome to the VentureBeat Community!

DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.

If you want to read about the very latest ideas and up-to-date information, best practices and the future of data and data technology, join us at DataDecisionMakers.

You might even consider contributing an article yourself!