July 16, 2014 By Derek Brink 2 min read

Quick — what’s the single most important focus for today’s chief information security officer (CISO)? This was the first of seven questions raised on the topic of the role of today’s CISOs in a recent Twitter chat hosted by the IBM Security team. Before you respond, be careful: This is not the same question as, “What’s keeping today’s CISOs up at night?” nor, “What security initiatives are being given the highest priority by today’s CISOs?”

An Existential Question for Today’s CISO

No, the word “focus” means the center of interest or activity. Another way to frame this important question is, “What is the single most important reason for the CISO’s existence?” Even more concisely: What is the CISO’s raison d’être? Raison d’être is not the “R-word” referenced in the title, however; nor is it risk, although that’s not a bad guess. In fact, the single most important focus for today’s CISOs is relevance; that is, being connected with and being valued by the organization that they support. The crowd-sourced wisdom of the Twitter chat on this existential question identified three major roles:

  • Raise awareness about security;
  • Improve the maturity of the security team and its infrastructure;
  • Communicate more effectively both at the team level and at the C-level.

Of these, it should be obvious that more effective communication at the C-level — in language that business leaders speak and understand, not the jargon-laden language of IT security experts — is essential to being seen as relevant.

Raising awareness about security also goes a long way towards keeping our companies — as well as society as a whole — safer and more secure. The idea of improving the maturity of the security team and its infrastructure is certainly valid, but if we’re being honest, the route to relevance in this case is more roundabout. If the people, processes and technologies of our security team are more mature, we can expect to provide more effective security for the organization with a more efficient use of resources. It’s definitely hard to be viewed as relevant if you aren’t effective at executing your mission.

Perhaps the point to be made boils down to this: All three of these ideas speak to “how”; but “how” will be different for every organization, depending on its specific context and its current jumping-off point. The single most important focus for today’s CISO is a question of “what,” and the answer to that is relevance.

Three Questions CISOs and Other Security Leaders Must Be Able to Answer

In a June 2014 workshop at the Next-Generation Security Summit, I had the privilege of leading a workshop for CISOs, which kicked off with the observation that in most organizations, the leaders of each business function are regularly asked to address some pretty basic questions with the C-level leadership:

  • What services are being provided? (A question that is increasingly addressed by security-specific metrics and dashboards.)
  • How much do these services cost? (A question that is addressed in the budgeting and resource allocation process and often supported by peer benchmarking.)
  • What value do these services provide? (Unfortunately, a question with which most CISOs still struggle.)

What do you do? How much does it cost? What value does it provide? These are the ways CISOs can demonstrate that they are connected with, and important to, the organization they support. This is how CISOs can become — and remain — relevant, which should be their single most important focus.

Download the free e-book: Staying Ahead of the Cyber Security Game

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today