March 28, 2018 By Christophe Veltsos 4 min read

One of the most important attributes of a chief information security officer (CISO) is the ability to govern by influence rather than edict. This skill is especially important given that, according to an August 2017 Ponemon report, many organizations struggle with conflicts related to turf and silo issues — nearly half of CISOs still report to chief information officers (CIOs) — and the lines of responsibility for cybersecurity are not always clearly defined.

To resolve these problems, CISOs must explore ways to become influencers within their organizations. But this doesn’t mean the security leader should have absolute authority and total control over the security program. As many CISOs have realized, the cybersecurity function is much more likely today to have veto power over projects, especially IT projects, than ever before. However, veto power can be a double-edged sword that (if abused) can halt innovation and influence employees to turn to shadow IT.

According to an MIS Training Institute article that paraphrased Security Catalyst CEO Michael Santarcangelo, “CISOs can make changes and increase the scope of their influence, but only if they’re willing to realize that the name of the game is not power.” Deloitte Insights echoed this sentiment: “Instead of impeding innovation for fear of cyberthreats, the CISO should seek to be instrumental in aiding organizations to achieve their goals.” The piece also noted that “CISOs who are able to step beyond a tactical, technical level are more likely to gain credibility and support among leaders across the enterprise, including the board, CxOs and business unit leaders.”

The Art of Listening

CISOs who wish to exercise their ability to influence should remember to focus on listening first. Security leaders must use tact and diplomacy to increase the amount of contact they have with the rest of the C-suite, the board — and especially line-of-business (LOB) leaders. Some leaders view any form of engagement on the part of security folks as an attempt to meddle in business affairs and will respond defensively. That’s why CISOs must exert their influence carefully and listen to the concerns of various departments before imposing security restrictions on these lines of business.

According to journalist and former TED Global speaker Becky Blanton, “The most popular and memorable people in the world are those who give us their undivided and full attention.” In fact, per the State Department, the elements that make up Chinese symbol for “to listen” include symbols for “you,” “eyes,” “ears,” “heart” and “undivided attention.” Together, these elements illustrate that “to listen, we must use both ears, watch and maintain eye contact, give undivided attention and, finally, be empathetic.”

Focusing on Value

It’s important to remember that few business leaders have time to think about security. If the organization is not moving at the speed of business, it’s being overtaken by competitors. The CISO will get a lot more traction — and a lot more respect — if he or she can frame security recommendations and warnings in business terms instead of technical jargon that is meaningless to business leaders.

CISOs should reframe their interactions around cyber risks, both positive and negative, that can impact a particular line of business or — for C-suite and board interactions — the entire organization. If the organization has an enterprise risk management (ERM) framework already in place, the CISO should study it and frame cybersecurity in terms of its impact on the organization’s ability to create or protect value.

Influencing by Proxy

Even the most successful CISO influencer can’t be everywhere at once. That’s where the CISO’s ability to forge strong alliances throughout the organization can help spread the word that the cybersecurity function aims to help the whole enterprise, not hinder productivity. These allies can soften the terrain of interactions with new business units. Just as critically, they can be the eyes and ears of the CISO, helping raise the alarm well before security issues become incidents.

Keeping Up With CIOs

While the CISO position has evolved into a more strategic role, so has that of the CIO. A recent study by the IBM Institute for Business Value (IBV) found that CIOs are keen to “foster innovation through singular, more personalized relationships with core constituencies.” This is key because many organizations are embracing the consumerization of IT. This means CIOs must seek to improve the way they collaborate to shape and architect digital strategies, focus on innovation and become better change agents. Where CIOs go, CISOs should follow to ensure that the business risks of both today and tomorrow are still palatable to the C-suite and the board.

Boosting CISO-Board Engagement

In its director’s handbook on cyber risk oversight, the National Association of Corporate Directors (NACD) outlined questions to help board executives strengthen their engagement with security leaders and better understand how their organization approaches cyber risks.

These inquiries aim to address:

  • The CISO’s charter and scope of authority
  • The CISO’s formal lines of reporting
  • The CISO’s access to “an independent channel to escalate issues and to provide prompt and full disclosure of cybersecurity deficiencies”
  • The nature of the CISO’s relationship network, both inside (collaboration across silos and with audit, HR, legal, and supply chain and third party vendors) and outside (threat intelligence and sharing, law enforcement relationships) the organization

As boards reflect on and improve their oversight of cyber risks, they are increasingly looking for reassurances that the CISO is business-focused. Communication such as the questions described above can help executives and security leaders get on the same page.

Sign on the Dotted Line

As an influencer, the CISO can play a key role in shaping the organization’s cybersecurity risk strategy. When the security leader’s influence reaches all the way into the boardroom, that influence can actually help save the organization money in the aftermath of a data breach. The Ponemon Institute’s “2017 Cost of a Data Breach Study” found that board-level involvement reduced the per capita cost of a breach by more than $5.

Another benefit is the extra reach that comes with this form of human network instead of — or in addition to — formal authority. As the Deloitte Review article stated, “Regardless of where the CISO function is positioned within the organization, it is important to understand where dotted-line relationships may exist and to clearly define roles to avoid confusion in responsibilities and improve integration and collaboration.” The influencer CISO will have many informal dotted-line relationships, which will the benefit the entire organization.

Listen to the podcast series: Take back control of your cybersecurity now

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today