- Christmas cyber security
- 5 min read
It’s a scenario we’re all familiar with: “Good morning, Mr Bailey, please take a seat. The interview will start now.” And although confident I have...
It’s a scenario we’re all familiar with: “Good morning, Mr Bailey, please take a seat. The interview will start now.” And although confident I have researched and prepared well, I know some searching questions are coming my way. But I also have a few of my own. After all, a job interview is a two-way street.And the CISO-CEO relationship today is much the same.
Over the last ten years the CISO role has both evolved and matured. ‘Evolved’ in the sense that today’s CISO has moved from the tactical (managing the detail of devices, vulnerabilities and access) to the strategic – working across the business, deepening organisational understanding of cyber risks and building in the resilience needed for when risk becomes reality.It has ‘matured’ because the position now demands that the incumbent hold their own at C-level. In fact, for those organisations approaching the pinnacle of information security governance, the CISO can even be found sitting at the boardroom table.Information security is no longer an issue for the CISO alone. With ‘digital’ as much the lifeblood of the business as finance, securing that domain is of increasing concern for the board. As a result, CEOs are now, quite rightly, asking their CISOs some testing questions:
Given this, what qualities does today’s CISO need, not only to answer these questions (and other such zingers) but to turn them to their advantage?
If risk management isn’t a core strength, you need to either politely make your excuses and leave, or quickly develop a risk-based approach. Why? Because risk management is the key to communicating with the CEO.Move away from qualitative risk assessment (what does ‘amber risk status’ mean anyway?) and follow the CFO’s lead of displaying your wares in hard currency. Connect impacts of security threats to potential business failures. Use metrics that resonate with the CEO and speak their everyday terms - financial, productivity and market share. Make sure you pass the “What does this mean for our revenue/production/profit?” test.For example – You make one unit every 90 seconds. An incident last month resulted in three hours’ downtime. Point out the proposed new system would have prevented the incident and saved 120 lost units. Now the CEO is listening.
The CISO has moved from a perceived ‘Business Prevention Officer’ to a business enabler, who thoroughly understands not only the organisation but how to play their part in taking it forward. Aim to have as broad a knowledge and experience of the company as possible:
Taking this approach has the additional benefits of raising the profile of information security and connecting you to the company’s key stakeholders. This facilitates a much warmer reception and open minds the next time you introduce initiatives or changes to your information security policies.
In attempting to get people to learn about and practise good information security habits, you are trying to change behaviours of those you don’t necessarily have the power to mandate. Understanding how people think, view life and change their behaviour is a key CISO attribute.Here you can leverage the informal network and develop relationships with the key stakeholders specifically centred around cybersecurity.Going a step further, establish an ‘information security ambassador network’ – an informal group of ‘lay’ representatives that create a cyber footprint across the business providing two-way communication with all areas.
Remember that leadership isn’t just about you. It’s about drawing out the best from those around you. And ensuring ‘the best’ are around you in the first place.You need to build, develop and lead a multi-disciplinary team. Think outside the box to include disciplines such as:
So you’ve got those qualities nailed, how about answering those questions?
Well, let’s rewind to that hypothetical job interview. You know the general thrust of the questions, but the key is to be prepared for all eventualities.
The hypothetical bill may surprise the CEO.
What do you need from the CEO? Well, an acceptance of a shared responsibility for a start. CEOs need to recognise the importance of cyber security and be directly involved in setting the level of acceptable risk.The CEO needs to lead by actively enquiring into emerging risks. As businesses become increasingly digital, the status of information security moves from a technical issue to an area of core business impact. CEOs need to foster the conversation in terms of understanding business risk and the impact of the changing security landscape.The wider C-suite also has responsibilities to support the CISO, so get commitment from them on:
By taking the wider business view, working across the organisation and establishing genuine two-way communication with the CEO, you may just hear the equivalent of those wonderful words:“Congratulations, you have the job!”
© The Security Company (International) Limited 2022
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51