Are you a Business Leader?

Questions CISOs Need to Answer

As information security has moved to the forefront of general interest news, we have suddenly seen much more scrutiny of corporate security strategy and the goals of security leaders. For the first time, the Wall Street Journal which is among the most read business publications in the world, provides a weekly security news update. Many say this is the year of cyber security, but more likely, it is the year of the Chief Information Security Officer. The CISO, and his/her strategy, has never been so closely studied. With attention, comes great opportunity, and so this is the CISOs chance to up-level their role in business, and their impact in the board room. All of this depends on the CISO adopting and implementing the right approach for their business.

We have noticed that CISOs are coalescing around two different approaches to security programs. The first group is focused on the noise. They react to the threat landscape and take a defense-first approach, striving for 100 percent security. They focus on technology, policy, and procedure with a goal of absolute elimination of threats.

The second group of CISOs focuses on business performance. They take a more strategic tact and are led by business similar to their peers in sales, marketing, and finance. They seek to enable business progress with security programs. They are more engaged with their business counterparts, not just when a breach occurs.

How do you know if you are in this second group of business-focused security leaders? Ask yourself these questions:

1. Do you have regular, two-way communication with the board?

The board room is where important decisions are made and where strategy is set. Business-focused security leaders have a role in the board room as an expert, a resource, and a visionary. They define the company’s security program as a forward-thinking program that limits risk while enabling optimal business performance. Business-minded CISOs come to the boardroom for regular conversation and influence business practices and strategy, not to update on threats, hacks, and defensive schemes.

2. Do you know your organization’s top five business objectives for the year?

Business-savvy security leaders can impact growth and productivity in a positive way by aligning their efforts with corporate strategy. For example, if a company’s priority is customer acquisition, then the security team must align initiatives in a way that supports sales and marketing strategies for growth that does not impede workforce productivity. Business-focused security leaders are able to articulate sophisticated security processes as a competitive differentiator to potential new customers.

3. Do other business leaders in the organization proactively seek your counsel?

Communication and collaboration with other business leaders is a vital part of a successful security program. A business leader wields indirect influence to great effect, and is called upon by other organizations to provide counsel. If you are routinely brought in for consultation at the earliest stages of new programs, products, and corporate direction, then it is likely others are recognizing you as a business leader.

4. Is your team comprised of business-savvy technologists?

Any CISO will tell you that the strength of their program is directly linked to the strength of their team. While technology awareness and security product expertise matter, to be truly impactful, security teams must collectively understand business goals, be able to communicate effectively with business users, and position themselves as business enablers. These types of teams work from the same mission as the rest of the company and seek opportunities to strengthen programs with security elements.

Business-savvy security executives are focused on optimizing performance, not reacting to just the noise. This means they are continuously measuring their program against business goals. These security leaders are able to drown out the noise – those attacks and threats that dominate news headlines and have the potential to sway a security program off-track. At the end of the day, these leaders ask themselves one important question, “How can I security enable my business to achieve its revenue potential?”

 

Three Quick Ways to Gain Indirect Influence

Network – Get out of the IT department and meet with business executives on their terms. Ask them about their priorities and challenges.
Speak their language – Leave technical jargon in the IT suite and focus on business value and risk, two areas all business leaders can understand.
Be flexible – Ensure security programs do not impede worker productivity and be willing to make changes to security processes when needed.

    Subscribe

    Stay up to date with cyber security trends and more