As business pressures increase, chief information security officers (CISOs) face an alarming disconnect from executive teams. WSJ recently published research highlighting that communication is at the root of the problem: 58% struggle to make the technical understandable to senior leadership, and 82% feel the need to sugarcoat their security reports in front of the board.
We had the pleasure of speaking with two security leaders, LV= CISO Dan Baylis and Phillip Heyns, Global Cybersecurity Architecture & Engineering Manager at Hitachi Energy, to discuss this challenge and provide practical tips on promoting data-driven conversations about security performance and ROI. Read this blog post for actionable insights from the webinar.
You can find the full webinar here
The Role of CISO has Shifted
After COVID accelerated digital adoption, organizations are more focused on cybersecurity than ever before. Previously, the CISO needed to advocate the importance of a secure organization, but now the emphasis on cybersecurity is coming from the top down.
Traditionally, the CISO was more of a technical role, reporting only to the chief information officer (CIO). Now, the CISO is expected to be a business leader and focus on more than just the technical aspects of the job. The CISO needs to communicate and lead the technical team while also speaking to business leaders in a way they can understand, ensuring that the cyber strategy relates to the organization’s business strategy.
Here are five tips for how a CISO can embrace this newly defined role, fulfill the board’s expectations, and strengthen an organization’s security posture.
1. Accurately Report Risk
Some CISOs make the mistake of downplaying their organization’s level of risk out of fear of being directly held responsible for a high-risk score. However, this type of reporting can have the opposite effect. Because the organization isn’t concerned, CISOs won’t get the support they need to reduce risk, making the situation even more dire.
Being honest about cyber risk can empower senior leadership and executives to make effective data-based decisions to address those risks and support the CISO by providing the necessary resources.
New compliance requirements, like the USA’s SEC (Securities and Exchange Committee) requirements for timely cybersecurity event disclosure, will drive transparency and encourage the use of frameworks and structures to report cyber risk. It can also help CISOs share the responsibility of cyber risk with the rest of the organization by ensuring that the risks are made known and clearly articulated to executive management.
2. Communicate with Both Technical and Business-Oriented Audiences
CISOs must convey complex messages in a compelling and tangible way, and data can be beneficial in this situation. However, CISOs should tailor the data to the audience. For example, benchmarking against other companies in the same industry can be very helpful when communicating with stakeholders. When speaking to a risk committee, you must discuss control coverage and effectiveness.
CISOs should focus on connecting their cyber investments to actual business outcomes
and results that matter to management and the board. Breach and Attack Simulation (BAS) tools are a great way to help tell that story. For example, continuous testing with BAS can show security coverage before a new security control is implemented and demonstrate a positive trend of improved coverage after the tool is deployed.
Additionally, by focusing on the business outcomes that the organization expects, you can tailor the data to tell that story. For example, if the result is reduced financial impact on the business, you can show increased team productivity because of an investment in automated tooling.
3. Utilize Automated Offensive Security Testing
It’s risky to deploy security controls and assume they’re effective without continuously testing them. Manual assessments that may have worked 10 years ago are not enough when faced with the daily evolution of threats and digital transformation projects that adopt new technologies, migrate applications to the cloud, and integrate internal systems with supply chain partners. Automation needs to be brought into the equation.
Automated security validation provides CISOs with a continuous, comprehensive, and data-driven view of their security control investments and performance. It helps CISOs focus on their team’s gaps and understand where to invest more time and resources. Security validation tools enable CISOs to communicate with stakeholders about the organization’s gaps, the strategy to fill them, and the results of the team’s efforts.
Automated security validation can also help track and manage security drift. Additionally, by identifying gaps in your controls, you can prioritize and ensure that the most critical ones are addressed before they’re exploited.
4. Create a Culture of Cyber Awareness
People will always be the weakest link in every organization. By creating awareness within a company about different methods to breach the company, like phishing, a CISO can decrease risk. Simple phishing awareness simulation exercises once a month can encourage employees to be more vigilant about the emails they open and links they click. If employees show specific weaknesses, CISOs can create phishing workshops to help educate them.
5. Balance Business Initiatives with Cyber Strategy
Security can be seen as an inconvenient obstacle for businesses. Therefore, CISOs must cultivate good relationships with senior leadership and the executive team, so they can be included when big decisions are made. Suppose the CISO tries to understand new business initiatives and works towards finding a way to do it safely. In that case, when the CISO says something is impossible to do securely, leadership will be more likely to listen.
This approach also works if a cyber initiative is essential to the organization but has no available budget. A valued CISO will be able to approach leadership and justify that the company should invest the money now to protect the organization on its own terms rather than paying more later because of an unanticipated breach – in addition to all the other side effects of an attack.
CISOs Should Take a Proactive Approach in their Organization’s Cybersecurity Strategy
CISOs who embrace a proactive stance toward their organizations’ cybersecurity will strengthen their security posture and align cybersecurity efforts with broader business objectives, paving the way for improved communication with leadership. Metrics and data-driven reporting can support CISOs in their role and get them a seat at the executive table.
For more CISO tips, watch the full “CISO Roundtable: Automated Security Validation and Metrics of Cyber Resilience” webinar here.