As operational and security risks converge in the enterprise, the role of the chief information security officer (CISO) is evolving and expanding. Today’s CISO is seated closer to the executive function than ever before, and tasked with educating executives on enterprise security.

According to a recent white paper from RSA, 82 percent of CISOs believe their executive leadership is on board with the security team’s efforts to protect the network and data. As security risks become increasingly intertwined with business risks, it’s no wonder the executive board is starting to catch on to the criticality of data security.

How to Build Two-Way Channels Between Security and the C-Suite

While the C-suite has become more aware of the importance of a security function, recent studies have shown that security is navigating complex cultural barriers between technology departments and the boardroom. Seventy percent of CISOs reported that managing the relationship between security and risk leaders can be difficult, according to the RSA white paper. This difficulty is attributed to a lack of shared technology, language, metrics and goals.

To effectively collaborate on a framework for enterprise risk management, CISOs must establish a common network of terminology, tools and shared success measures. While the rapidly expanding role of the CISO is an uncomfortable position for many of today’s security leaders, navigating communication barriers is key to mitigating security risks.

Listen to the podcast: CISOs, Tell It Like It Is – But in English

Don’t Overestimate Cybersecurity Preparedness

According to an IBM Institute for Business Value study titled “Securing the C-Suite,” 94 percent of chief executives believe their organization will probably experience a security incident in the next two years. While awareness is growing among business leaders, nearly half of surveyed executives had an overconfident view of enterprise security posture. While 65 percent of these executives are highly confident that their security response plans are well-established, just 17 percent of enterprises met the study criteria for a well-defined and implemented cybersecurity function.

At the most prepared enterprises, the executive function takes an active role in security risk mitigation through cross-functional collaboration, an empowered CISO and defined external collaboration efforts. The significant gap between the C-suite’s perception and reality underlines the importance of cross-functional collaboration between CISOs and business leadership. With nearly half of executives displaying overconfidence, there’s a clear need to improve security risk awareness in the boardroom.

5 Steps to Collaboratively Address Security Risks

While the CISO’s role is more important than ever, many enterprises have significant room to improve alignment between security and leadership. Unfortunately, it is mostly up to the CISO to ease cultural tensions and improve mutual understanding to establish effective cross-functional collaboration before security incidents arise. Let’s take a look at five steps security leaders can take to work more effectively with top management.

1. Collaborate Earlier

Proactive collaboration between business and risk can enhance cyber-preparedness. Forty-seven percent of CISOs believe exposing business risk leaders to IT initiatives earlier in the process can help the team more accurately assess the business risk of technology initiatives.

Federal Reserve CISO Devon Bryan told the Management Information Systems Training Institute (MISTI) that today’s security leaders need to “prioritize partnerships with business units” immediately.

“CISOs need to partner to ensure customer needs and expectations are met and go-to-market strategies are supported,” he said.

Productive collaboration in the boardroom requires security leaders to actively build relationships, pursue dialog, and make sure business leaders thoroughly understand security goals and strategies.

2. Create Shared Definitions

While today’s CISOs are well-versed in the language of security practices, such as patching cadence, many lack formal knowledge of business risk assessment. Similarly, chief risk officers and other executives are well-versed in business risk language, such as impact and likelihood, but lack insight into the complex technical aspects of the network.

Creating a shared taxonomy using definitions from the National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) is a good first step toward clearly defining security and business leaders’ goals and priorities when it comes to managing enterprise security risks.

3. Develop Unified Metrics

With shared language and an understanding of security’s role within the enterprise risk framework, CISOs should work collaboratively with the executive function to develop a key set of metrics for communicating enterprise risk and preparedness. In addition to clear success measures for cyberthreats, unified metrics should involve business units in actively securing the enterprise and employee awareness efforts.

In the MISTI article, Duke Health CISO Chuck Kesler advised enterprises to develop two or three shared annual performance goals around security and awareness. Documenting performance goals, he said, “keeps security on everyone’s radar and naturally creates opportunities to check in on progress.”

4. Formally Share Skills

Formal initiatives for a shared language and knowledge transfer between IT and risk management are critical prior to an incident. The enterprise can benefit from executive participation in drill exercises led by third-party consultants, the development of a joint competency taskforce and formal peer mentoring efforts.

5. Rely on Technology and Data

Security risk management is an inherently real-time practice. Effective, cross-functional collaboration and response requires shared tools that are likely unified by a common analytical core. To develop unified risk management models and frameworks, security leaders should first implement a comprehensive security incident and event management (SIEM) solution to improve network visibility.

Leveraging the help of expert consultants, CISOs should work to implement the necessary solutions for real-time reporting, augmented intelligence into internal and external anomalies, and response orchestration. Shared technologies among business and technology leaders can foster a common understanding the enterprise’s security posture and response capabilities.

It’s All About Finding Common Ground

While nearly half of today’s CISOs are still catching up with their expanding role in the enterprise, the convergence of cybersecurity and business risk have continued to elevate it. While today’s executive leaders are more risk-aware than ever before, CISOs must navigate new challenges around effective cross-functional collaboration and communication.

At the most cyber-prepared enterprises, the executive function is actively involved in the regular discussion of cybersecurity risks and preparedness. Effective collaboration requires shared understanding, and it’s up to today’s CISOs to develop common languages, metrics and technologies that span technologies and business units.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

More from CISO

What CISOs Should Know About CIRCIA Incident Reporting

In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…