THE CISO’S YEAR OF ACTION AND EXECUTION Get Your CEO to Vouch for Security by Executing on Business Goals
In our last issue of Feats of Strength we spoke about Outliers. We took Malcolm Gladwell’s book about the attributes of innovative and impactful people and applied it to our industry to identify the traits required to be successful in Information Security. To borrow briefly from Gladwell again, it seems we have collectively reached a Tipping Point in 2016. Gladwell defines a Tipping Point as “the moment of critical mass, the threshold, the boiling point.” We believe that in 2016 CISOs will reach the threshold of business impact. This is the year of action and execution for our industry.
Over the course of more than fifty interviews with CISOs, we learned that most have been in their role for an average of 16 months. Michael Newborn, CISO at Bloomberg BNA and a Feats of Strength Editorial Board advisor, states this is when people in any role, in any profession, reach peak confidence levels. Newborn says, “A typical trend for any employee is that in the first six months of a new role you assess and observe, over the next 12 months you plan, by 18 months you gain confidence to execute and make a real impact.” Many CISOs are hitting their confidence and performance sweet spot right now, which is why this year has the potential to dramatically evolve information security’s role in business.
ALIGN WITH THE CEO AND C-SUITE, AND UNDERSTAND THEIR PRIORITIES We have had many discussions with CISOs about participating in Boardroom conversations. Many deem it a critical element to program success. Just as important though, and possibly a better starting point, is the CISO’s relationship to the CEO. CISOs who align efforts closely with their CEO gain more than an ally; these CISOs now have someone to vouch for security across the company.
According to a KPMG survey, in 2016 CEOs are focusing on efficient growth and leveraging innovation to keep competitors and disruptors at bay. But the survey makes clear that the CEO’s biggest concerns remain financial performance, followed closely by risk management. To gain attention and influence with the CEO, it is imperative to align with their priorities. CISOs help the CEO be successful by identifying and explaining risks that can impact innovation and revenue. With this focus, CISOs can avoid compartmentalizing risk as a business function.
To make an impact on the business this year, CISOs will focus efforts and interactions with the CEO, CFO, and other C-suite leaders around these core priorities – impacting financial goals, understanding and mitigating risk, and enabling efficient growth. Christopher Dunning, CSO of Affinion Group and another Feats of Strength Editorial Board advisor says, “For me, this year is really about business enablement. Our Executive Vice President of Sales needs me to participate in sales calls. Security is at the center of business visibility, decisions, and our focus as a company.” Another Feats of Strength Editorial Board Advisor, Hussein Syed, CISO at Barnabas Health, says that his CEO is focused on managing risks to their brand reputation and mitigating financial losses.
AN EVOLUTION TAKES SHAPE, CEOS VOUCH FOR SECURITY AS A BUSINESS ENABLER Kevin Hamel, the CISO of COCC, a financial services organization, is featured in this issue. For his company, security and compliance is a top strategic priority. In his profile, Hamel states, “Our CEO is one of the most vocal supporters of security and risk management as a top priority. It is absolutely true that the security mindset has to start from the top. It makes it easy to get security ingrained in corporate culture when the CEO and the Board are the most committed to the effort.”
Many CISOs are not in Hamel’s situation. Many CEOs have seen security as something they have to do for operational and regulatory reasons. CEOs have a fiduciary responsibility to safeguard the company, its data and protect shareholder value, and the security program helps them check those boxes. But as CISOs take action this year to evolve security from a position of compelled response to a strategic business enabler, the CEO’s commitment to security will evolve as well.
Therefore, the CEO will also come to a security Tipping Point this year. The CEO’s Tipping Point will be spurred by CISO actions. As CEOs realize the impact security can have on risk management, enabling business productivity and protecting revenue, they will evolve to become security’s sponsors, vouching for the value of security initiatives and its strategic impact. We are excited to work with and support CISOs as they execute in this very big year.
KEVIN WEST is the founder and CEO of K logix, a leading information security company based in Brookline, MA. K logix helps create confident information security programs that align with business objectives.