October 29, 2018 By Jasmine Henry 4 min read

As operational and security risks converge in the enterprise, the role of the chief information security officer (CISO) is evolving and expanding. Today’s CISO is seated closer to the executive function than ever before, and tasked with educating executives on enterprise security.

According to a recent white paper from RSA, 82 percent of CISOs believe their executive leadership is on board with the security team’s efforts to protect the network and data. As security risks become increasingly intertwined with business risks, it’s no wonder the executive board is starting to catch on to the criticality of data security.

How to Build Two-Way Channels Between Security and the C-Suite

While the C-suite has become more aware of the importance of a security function, recent studies have shown that security is navigating complex cultural barriers between technology departments and the boardroom. Seventy percent of CISOs reported that managing the relationship between security and risk leaders can be difficult, according to the RSA white paper. This difficulty is attributed to a lack of shared technology, language, metrics and goals.

To effectively collaborate on a framework for enterprise risk management, CISOs must establish a common network of terminology, tools and shared success measures. While the rapidly expanding role of the CISO is an uncomfortable position for many of today’s security leaders, navigating communication barriers is key to mitigating security risks.

Listen to the podcast: CISOs, Tell It Like It Is – But in English

Don’t Overestimate Cybersecurity Preparedness

According to an IBM Institute for Business Value study titled “Securing the C-Suite,” 94 percent of chief executives believe their organization will probably experience a security incident in the next two years. While awareness is growing among business leaders, nearly half of surveyed executives had an overconfident view of enterprise security posture. While 65 percent of these executives are highly confident that their security response plans are well-established, just 17 percent of enterprises met the study criteria for a well-defined and implemented cybersecurity function.

At the most prepared enterprises, the executive function takes an active role in security risk mitigation through cross-functional collaboration, an empowered CISO and defined external collaboration efforts. The significant gap between the C-suite’s perception and reality underlines the importance of cross-functional collaboration between CISOs and business leadership. With nearly half of executives displaying overconfidence, there’s a clear need to improve security risk awareness in the boardroom.

5 Steps to Collaboratively Address Security Risks

While the CISO’s role is more important than ever, many enterprises have significant room to improve alignment between security and leadership. Unfortunately, it is mostly up to the CISO to ease cultural tensions and improve mutual understanding to establish effective cross-functional collaboration before security incidents arise. Let’s take a look at five steps security leaders can take to work more effectively with top management.

1. Collaborate Earlier

Proactive collaboration between business and risk can enhance cyber-preparedness. Forty-seven percent of CISOs believe exposing business risk leaders to IT initiatives earlier in the process can help the team more accurately assess the business risk of technology initiatives.

Federal Reserve CISO Devon Bryan told the Management Information Systems Training Institute (MISTI) that today’s security leaders need to “prioritize partnerships with business units” immediately.

“CISOs need to partner to ensure customer needs and expectations are met and go-to-market strategies are supported,” he said.

Productive collaboration in the boardroom requires security leaders to actively build relationships, pursue dialog, and make sure business leaders thoroughly understand security goals and strategies.

2. Create Shared Definitions

While today’s CISOs are well-versed in the language of security practices, such as patching cadence, many lack formal knowledge of business risk assessment. Similarly, chief risk officers and other executives are well-versed in business risk language, such as impact and likelihood, but lack insight into the complex technical aspects of the network.

Creating a shared taxonomy using definitions from the National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) is a good first step toward clearly defining security and business leaders’ goals and priorities when it comes to managing enterprise security risks.

3. Develop Unified Metrics

With shared language and an understanding of security’s role within the enterprise risk framework, CISOs should work collaboratively with the executive function to develop a key set of metrics for communicating enterprise risk and preparedness. In addition to clear success measures for cyberthreats, unified metrics should involve business units in actively securing the enterprise and employee awareness efforts.

In the MISTI article, Duke Health CISO Chuck Kesler advised enterprises to develop two or three shared annual performance goals around security and awareness. Documenting performance goals, he said, “keeps security on everyone’s radar and naturally creates opportunities to check in on progress.”

4. Formally Share Skills

Formal initiatives for a shared language and knowledge transfer between IT and risk management are critical prior to an incident. The enterprise can benefit from executive participation in drill exercises led by third-party consultants, the development of a joint competency taskforce and formal peer mentoring efforts.

5. Rely on Technology and Data

Security risk management is an inherently real-time practice. Effective, cross-functional collaboration and response requires shared tools that are likely unified by a common analytical core. To develop unified risk management models and frameworks, security leaders should first implement a comprehensive security incident and event management (SIEM) solution to improve network visibility.

Leveraging the help of expert consultants, CISOs should work to implement the necessary solutions for real-time reporting, augmented intelligence into internal and external anomalies, and response orchestration. Shared technologies among business and technology leaders can foster a common understanding the enterprise’s security posture and response capabilities.

It’s All About Finding Common Ground

While nearly half of today’s CISOs are still catching up with their expanding role in the enterprise, the convergence of cybersecurity and business risk have continued to elevate it. While today’s executive leaders are more risk-aware than ever before, CISOs must navigate new challenges around effective cross-functional collaboration and communication.

At the most cyber-prepared enterprises, the executive function is actively involved in the regular discussion of cybersecurity risks and preparedness. Effective collaboration requires shared understanding, and it’s up to today’s CISOs to develop common languages, metrics and technologies that span technologies and business units.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today