A Strategy Map for Security Leaders: How CISOs Should Strive to Be Perceived by Key Stakeholders
The second row of our strategy map for security leaders is about how CISOs should strive to be perceived by the organization’s key stakeholders in order to deliver on their strategic objective of managing risk.
Modern Information Security Is in a State of Transformation
As shown by the NG Security Summit, recent conversations among more than 60 information security leaders underscored the ongoing transformation of modern information security. In these discussions, a great deal of attention was given to the transformations taking place at a tactical, technical level:
- Attackers are increasingly sophisticated, targeted and organized.
- Defenders continue to look for the most effective ways to prevent, detect and respond more quickly to the threats, vulnerabilities and exploits that put their organizations at risk.
To be clear, these tactical transformations are the many disruptive changes taking place in a technical context.
At the same time, CISOs are also at various stages of a strategic transformation of information security, as well as a strategic transformation in themselves as its leaders. This shift calls for leaders to go far beyond their traditional comfort zones and technical subject matter expertise. This second strategic transformation is related to the first, but it’s also quite different. It should be thought of as an addition, not a replacement.
In addition to technical knowledge and subject matter expertise, security leaders are increasingly aware that business acumen and the ability to serve as a trusted adviser to senior business leaders are essential attributes. This is especially true if they are to maximize and successfully sustain the relevance of information security to key stakeholders.
It’s essential to the continued relevance of CISOs, as well. This very particular set of skills is not necessarily easy to find in a single person, but the emerging pattern for successful CISOs is clearly headed in the direction of the business-oriented technologist and the tech-savvy businessperson.
What CISOs Are Talking About
The transition to a dual or blended role is not happening overnight. For example, both sides of the coin can be seen in the leading challenges that this particular group of security leaders recently identified in roundtable discussions at the NG Security Summit.
Roundtable Discussion 1: Threat and Vulnerability Landscape
Roundtable Discussion 2: Best Practices in Security Controls
Roundtable Discussion 3: Governance, Risk, Compliance and the Business Value of Information Security
· Phishing attacks against employees
· Malware becoming more prevalent than ever and the commoditization of malware
· Personalized attacks tailored to a specific organization and its weaknesses
· Security for mobility and cloud computing
· Keeping up with the pace of change regarding technology, regulations, globalization of business and third-party relationships
· Managing talent and culture
· Using the language of risk properly and quantifying risk in terms of business impact
· Establishing a clear understanding within the organization about ownership of risk and the power and influence of the CISO to drive decisions about risk
· Ability to communicate clearly and consistently about the business value provided by information security
· Ability to hire, develop and retain the right people with the right skills for the information security team
In the workshops and panel discussions that took place over three days, a simple analysis showed that these conversations continue to skew toward the technical side, with words like security, breach, threat, breach, risk, data and cloud being much more prevalent than business or value. This strongly suggested that information security leaders continue to be focused predominantly on technical and defensive dimensions.
The transformation noted above must happen — and there is ample evidence that it is starting to happen — but it seems clear that it will take place incrementally over an extended period.
This finding is by no means a fluke or an anomaly based on a relatively small sample size. As described in the blog “RSA Conference 2015: What We Talked About,” a similar analysis found the 77 most frequent words from the titles and descriptions of more than 300 sessions. These words were mentioned a total of 8,687 times, broken down as follows:
- Words or topics that are technical: 6,222 (72 percent); and
- Words or topics that are nontechnical: 2,465 (28 percent).
Focusing in on just those words that are related to security solutions being used in a business context revealed a similar, predominantly technical focus:
- Words or topics related to people: 204 (5 percent);
- Words or topics related to process: 662 (15 percent);
- Words or topics related to technology: 2,871 (67 percent); and
- Words or topics related to the business: 562 (13 percent).
It’s probably stretching it too far to suggest that if the goal is a 50/50 balance between the roles of subject matter experts and trusted advisers, the current split is skewed about 70/30 towards the technical side. But that’s what these numbers show.
Security Leaders Must Serve Both Roles: Subject Matter Experts and Trusted Advisers
What’s important to acknowledge is that in our strategy map for security leaders, the key stakeholders in the organization must come to perceive CISOs and the information security teams as both technical subject matter experts and trusted business advisers.
As depicted in the second row of the generalized strategy map, both roles are essential if the information security function is going to deliver successfully on its primary objective, which is to help the organization manage both types of security-related risks.
To make this perception a reality, security leaders have to take on the primary responsibility for bridging the gap between the two cultures. This means reconciling the divide that often leaves technologists on the one side and businesspeople on the other.
The first rule of evangelization is to meet people where they’re at; simply waiting for the other side to change is not the answer. Neither is complaining about not being understood or appreciated, or failing to communicate properly in the language of risk, which business leaders already understand and regularly act upon. It falls on the security leaders to take proactive steps in the right direction.