survey of CISO influence shows that the field has reached
an inflection point. For a C-level security executive, it’s probably obvious: Most
infosec leaders can feel there’s a revolution afoot without having to sift through
the data to prove it.
As organizations push forward
with digital transformation, cybersecurity is on everyone’s radar. Daily headlines
of devastating cybercrime build awareness, but there’s lots more work to do. As
a result, the role of the security chief is evolving, and the CISO’s importance
continues to grow in the eyes of top executives and boards.
Though only 27% of security
officers surveyed say they report directly to the CEO, that’s a much higher indicator
of CISO influence than has been seen in other major studies conducted in the last
few years. In this most recent snapshot, almost all — 97% — of CISOs and CSOs have
at least some visibility to executive leadership.
This is a welcome change. Since
the “C” in CISO stands for Chief, those in the C-suite share
at least a few things in common: They are in direct charge of operational and financial
performance within their areas of responsibility, and they answer to the CEO and
board of directors in matters relating to growing
Perhaps the survey’s biggest
takeaway for today’s CISO is that until unless they speak to the business and take
direct action in growing and maintaining profitable customers, they won’t earn their
seat at the C-suite table.
The Good News
The data points coming out of this survey show that security leaders
are valued, and the importance of cybersecurity to the business is integrated into
almost every aspect of business process and planning. Unfortunately, the results
are still mixed in terms of how others view security and the CISO, and there is
often confusion about connecting security key performance indicators (KPIs) with
Getting the C-suite to listen
is always a net positive, but plenty of inconsistencies remain. Almost a third in
the survey say they are asked to provide on-demand performance updates, yet only
18% have access to continuous metrics. Another third say that security controls
and management are still not integrated, and yet over half are required to pinpoint
ROI for their security spending. For the most part, CISOs still struggle to mature
their practices in reporting to the CEO and board. The good news here is that, when
they do, they gain tangible authority and credibility.
The Three Do’s
There are three actions that CISOs must take to gain the credibility and confidence
of their peers and stakeholders. The study confirms that if these actions are not
taken in today’s cyber world, it’s an uphill battle:
1. Develop and manage key stakeholders. Walk the hallways — real
or virtual — and talk to stakeholders about what is important to them. This kind
of interpersonal relationship building is not normally associated with cyber types,
and maybe it’s more “management by Zoom” these days, but it’s the same
idea. CISOs must become strategic, trusted advisers to fellow officers and directors.
Nothing can substitute for direct interaction to get people aligned to action.
2. Understand the business. Technical skills and expertise
are no longer enough. The enterprise-specific nuances of compliance, risk management,
threat modeling, detection, and response are now guaranteed to be different with
almost every company. The extension of digital product life cycles forces the need
for a more business-savvy approach. This puts pressure on the CISO to accurately
align the cybersecurity program with the mission of the business and the needs of
It’s still true that perhaps
60% of a cybersecurity program can work across any company. It’s that 40% that’s
turned into a wild card unique to every business, and where CISOs get into trouble
if they don’t understand the business of the business.
3. Be able to demonstrate value. Measurement
is moving toward the custom and qualitative in cyber, so connect risk management
metrics to the nuances of the business, its products, services, supply chain, and
customers. Again, understand what the organization is trying to mitigate, remediate,
and manage, and be able to explain the why to peers who don’t understand
cyber as well as an infosec leader does.
Come up with KPIs that track
what risks the company is managing measured against business imperatives. Convince
fellow executives that while all risk can’t be eliminated, they
need to think in terms of management, and creation of operational resilience with
a defensible risk posture that makes sense
for the organization.
It’s Time CISOs Arrived
These three actions form the foundation of the security program,
and how a CISO’s career and compensation path will follow. The Dark Reading research
delivers confidence that security leaders’ influence and credibility are rising
fast within the chain of command. Every CISO should focus on keeping up with the
evolution from technical tacticians to business strategists, earning respect, and
finally taking ownership of that seat at the table.
About the Author
Michael Eisenberg is a seasoned information security professional with more than 30 years of experience working across public and private sectors including two global Fortune 250 organizations (Aon and McDonald’s Corporation), the government sector and the US military. As Vice President of Strategy, Privacy, Risk at Coalfire, Michael leverages his experience through a range of security consultative services that help C-level officers build and improve security strategies and deliver cybersecurity programs. He received a master’s degree in computer science from Illinois Institute of Technology. Michael holds CISSP, CISA, CISM, and CRISC security certifications.