Putting the ‘I’ in CISO: Why the Security Leader Must Become an Influencer

One of the most important attributes of a chief information security officer (CISO) is the ability to govern by influence rather than edict. This skill is especially important given that, according to an August 2017 Ponemon report, many organizations struggle with conflicts related to turf and silo issues — nearly half of CISOs still report to chief information officers (CIOs) — and the lines of responsibility for cybersecurity are not always clearly defined.

To resolve these problems, CISOs must explore ways to become influencers within their organizations. But this doesn’t mean the security leader should have absolute authority and total control over the security program. As many CISOs have realized, the cybersecurity function is much more likely today to have veto power over projects, especially IT projects, than ever before. However, veto power can be a double-edged sword that (if abused) can halt innovation and influence employees to turn to shadow IT.

According to an MIS Training Institute article that paraphrased Security Catalyst CEO Michael Santarcangelo, “CISOs can make changes and increase the scope of their influence, but only if they’re willing to realize that the name of the game is not power.” Deloitte Insights echoed this sentiment: “Instead of impeding innovation for fear of cyberthreats, the CISO should seek to be instrumental in aiding organizations to achieve their goals.” The piece also noted that “CISOs who are able to step beyond a tactical, technical level are more likely to gain credibility and support among leaders across the enterprise, including the board, CxOs and business unit leaders.”

The Art of Listening

CISOs who wish to exercise their ability to influence should remember to focus on listening first. Security leaders must use tact and diplomacy to increase the amount of contact they have with the rest of the C-suite, the board — and especially line-of-business (LOB) leaders. Some leaders view any form of engagement on the part of security folks as an attempt to meddle in business affairs and will respond defensively. That’s why CISOs must exert their influence carefully and listen to the concerns of various departments before imposing security restrictions on these lines of business.

According to journalist and former TED Global speaker Becky Blanton, “The most popular and memorable people in the world are those who give us their undivided and full attention.” In fact, per the State Department, the elements that make up Chinese symbol for “to listen” include symbols for “you,” “eyes,” “ears,” “heart” and “undivided attention.” Together, these elements illustrate that “to listen, we must use both ears, watch and maintain eye contact, give undivided attention and, finally, be empathetic.”

Focusing on Value

It’s important to remember that few business leaders have time to think about security. If the organization is not moving at the speed of business, it’s being overtaken by competitors. The CISO will get a lot more traction — and a lot more respect — if he or she can frame security recommendations and warnings in business terms instead of technical jargon that is meaningless to business leaders.

CISOs should reframe their interactions around cyber risks, both positive and negative, that can impact a particular line of business or — for C-suite and board interactions — the entire organization. If the organization has an enterprise risk management (ERM) framework already in place, the CISO should study it and frame cybersecurity in terms of its impact on the organization’s ability to create or protect value.

Influencing by Proxy

Even the most successful CISO influencer can’t be everywhere at once. That’s where the CISO’s ability to forge strong alliances throughout the organization can help spread the word that the cybersecurity function aims to help the whole enterprise, not hinder productivity. These allies can soften the terrain of interactions with new business units. Just as critically, they can be the eyes and ears of the CISO, helping raise the alarm well before security issues become incidents.

Keeping Up With CIOs

While the CISO position has evolved into a more strategic role, so has that of the CIO. A recent study by the IBM Institute for Business Value (IBV) found that CIOs are keen to “foster innovation through singular, more personalized relationships with core constituencies.” This is key because many organizations are embracing the consumerization of IT. This means CIOs must seek to improve the way they collaborate to shape and architect digital strategies, focus on innovation and become better change agents. Where CIOs go, CISOs should follow to ensure that the business risks of both today and tomorrow are still palatable to the C-suite and the board.

Boosting CISO-Board Engagement

In its director’s handbook on cyber risk oversight, the National Association of Corporate Directors (NACD) outlined questions to help board executives strengthen their engagement with security leaders and better understand how their organization approaches cyber risks.

These inquiries aim to address:

  • The CISO’s charter and scope of authority
  • The CISO’s formal lines of reporting
  • The CISO’s access to “an independent channel to escalate issues and to provide prompt and full disclosure of cybersecurity deficiencies”
  • The nature of the CISO’s relationship network, both inside (collaboration across silos and with audit, HR, legal, and supply chain and third party vendors) and outside (threat intelligence and sharing, law enforcement relationships) the organization

As boards reflect on and improve their oversight of cyber risks, they are increasingly looking for reassurances that the CISO is business-focused. Communication such as the questions described above can help executives and security leaders get on the same page.

Sign on the Dotted Line

As an influencer, the CISO can play a key role in shaping the organization’s cybersecurity risk strategy. When the security leader’s influence reaches all the way into the boardroom, that influence can actually help save the organization money in the aftermath of a data breach. The Ponemon Institute’s “2017 Cost of a Data Breach Study” found that board-level involvement reduced the per capita cost of a breach by more than $5.

Another benefit is the extra reach that comes with this form of human network instead of — or in addition to — formal authority. As the Deloitte Review article stated, “Regardless of where the CISO function is positioned within the organization, it is important to understand where dotted-line relationships may exist and to clearly define roles to avoid confusion in responsibilities and improve integration and collaboration.” The influencer CISO will have many informal dotted-line relationships, which will the benefit the entire organization.

Listen to the podcast series: Take back control of your cybersecurity now

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...