More than ever before, CISOs need to be able to effectively communicate the value of their teams’ efforts across the entire organization, as well as upstream to the C-suite and Board of Directors, by speaking in a language the rest of the organization can understand.
We were granted the unique opportunity to discuss the challenges CISOs now face in communicating the role of security in relation to the business’s objectives with Amar Singh (@amisecured), formerly the Chief Information Security Officer at News International and currently Chair of the Security Group for ISACA.
Singh has over fifteen years experience in coordinating security strategy, policy, and operations in a large enterprise environment, and he has a proven track record in enabling core business objectives through the adoption of innovative technologies to produce transparent security operations, as well as influencing key stakeholders by communicating the benefits of a proactive security effort.
Singh first points out that the evolving role and importance of the “new” CISO has created an environment where most organizations are still undecided and sometimes just unsure about where to place the CISO within the organizational leadership structure.
“This is primarily because of historical misconceptions and also due to the fact that in many organizations even today, firewalls, VPN and Anti-Viruses are the only interactive face of information security in the organization. As a result, most executives lump security in the IT domain,” Singh said.
However, Singh believes that more modern and forward thinking executives are starting to accept the notion that the CISO is more effective when operating outside of the IT & Operations domain, and that the concept of their place in the organization should be expanded to fit their actual role.
“I believe a more business relevant title for a CISO should be something like CIPO: Chief Information and Privacy Officer,” Singh said. “As the Gartner summit put it, CISOs are the new business leaders, but mainstream acceptance is still lagging and will take a while to catch up.”
As the CISO role has expanded to that of a business leader rather than simply a security manager, the challenge of how to better communicate security efforts to other business units as well as the C-suite has arisen.
Singh says this fact means CISOs have to approach their jobs with a new mindset, and stop thinking that Technology is a panacea to all the security problems the organization faces.
“Cisos need to do things like integrate with the project management office on initiatives, and engage key stakeholders including legal, HR, marketing and IT on a regular basis,” Singh said. “They need to obtain or produce business requirements rather than just security requirements. It’s easier to communicate business requirements to the business class, it’s something they can wrap their minds around.”
Singh said they also need to understand and encourage the adoption of standards and frameworks like ISO 27001 and COBIT 5 for the whole of the enterprise. “CISOs need to create and demonstrate security’s value to the entire business , and that can only be achieved by meeting with and understanding the wide variety of stakeholder’s needs,” Singh noted.
One of the first steps to accomplishing this is to make security efforts more visible to the rest of the organization, according to Singh.
“Engage people across the organization. Make security a more friendly and open endeavor, and encourage people to communicate with the information security office on a regular basis, not just when there are concerns,” Singh said. “Engage every employee with infosec – talk to people, walk the floor if you have to. Share with your employees how infosec can help their personal and professional lives.”
“Consider organizing ‘security open days’ where the business can see how Information security is making a difference to the company’s bottom line. Hold one day or half day training and awareness sessions featuring the technologies that security may be introducing into the environment, and explain how they work to support key business objectives,” Singh continued.
CISOs should also make sure that all security efforts are well aligned with overall enterprise risk management program, and this can only really be accomplished if the CISO has a seat on the corporate risk committee.
“This will enable the CISO to better understand the corporate risk framework, risk appetite, and approach to mitigation. The CISO should also have full view of the IT risk register and be an integral member of the risk IT risk committee,” Singh said.
In addition, Singh recommends that all IT transformation initiatives or software development projects must be governed by the information security & privacy office.
“For example, the security folks may have an all dancing, all singing solution that automatically encrypts all exchange emails. But what use is this solution if the business has already decided that all email will be moving to the cloud?” Singh said. “The project management office must have multiple and relevant infosec checkpoints to allow the CISO’s office to assist in aligning an incoming project’s profile with the overall risk appetite.”
As such, the CISO and their team must do their best to prioritize what’s most important to the organization so they can direct their efforts towards prioritizing their activities to the most relevant risks.
“Knowing the pain points of each business unit and understanding what keeps the CIO, CEO, and CFO awake at night is crucial. The principle of does this initiative help the business’s tactical and strategic goals? must always apply,” Singh noted.
CISOs also need to determine how they can best measure the impact of security efforts on the business, and as Singh points out, ROI in security is at best a “fine art,” so how do CISOs know if they are measuring the right things?
Singh says that historically IT has been encouraged to present the top ten attackers, top ten vulnerabilities, top ten this, top ten that. But this may not be what the CISO needs to communicate the security posture to the rest of the organization, particularly the executive level.
“As a CISO, although I do want to have access to this kind of information, I am really interested to know what successful or nearly successful attacks were thwarted, what the damage was or could have been, and what the likelihood is that the same risk will be materializing again,” Singh said.
“I also want my office to measure the controls and the effectiveness of those controls. Another way to put this: I need the metrics to align with what the stakeholders need to know, and how they connect to the overall business strategy of the organization.”
While that may be no easy task, it is what is required of the new CISO, and what will make attaining the required level of support from management and the rest of the organization possible.
- Michael Santarcangelo on the Value Imperative Mindset in Security
- Consequences Matter, Assets Don’t – At First…
- Four Things You Should Teach Your CEO about IT Security
- Infosec Gurus on Positioning Security as a Business Enabler
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock