Quick — what’s the single most important focus for today’s chief information security officer (CISO)? This was the first of seven questions raised on the topic of the role of today’s CISOs in a recent Twitter chat hosted by the IBM Security team. Before you respond, be careful: This is not the same question as, “What’s keeping today’s CISOs up at night?” nor, “What security initiatives are being given the highest priority by today’s CISOs?”
An Existential Question for Today’s CISO
No, the word “focus” means the center of interest or activity. Another way to frame this important question is, “What is the single most important reason for the CISO’s existence?” Even more concisely: What is the CISO’s raison d’être? Raison d’être is not the “R-word” referenced in the title, however; nor is it risk, although that’s not a bad guess. In fact, the single most important focus for today’s CISOs is relevance; that is, being connected with and being valued by the organization that they support. The crowd-sourced wisdom of the Twitter chat on this existential question identified three major roles:
- Raise awareness about security;
- Improve the maturity of the security team and its infrastructure;
- Communicate more effectively both at the team level and at the C-level.
Of these, it should be obvious that more effective communication at the C-level — in language that business leaders speak and understand, not the jargon-laden language of IT security experts — is essential to being seen as relevant.
Raising awareness about security also goes a long way towards keeping our companies — as well as society as a whole — safer and more secure. The idea of improving the maturity of the security team and its infrastructure is certainly valid, but if we’re being honest, the route to relevance in this case is more roundabout. If the people, processes and technologies of our security team are more mature, we can expect to provide more effective security for the organization with a more efficient use of resources. It’s definitely hard to be viewed as relevant if you aren’t effective at executing your mission.
Perhaps the point to be made boils down to this: All three of these ideas speak to “how”; but “how” will be different for every organization, depending on its specific context and its current jumping-off point. The single most important focus for today’s CISO is a question of “what,” and the answer to that is relevance.
Three Questions CISOs and Other Security Leaders Must Be Able to Answer
In a June 2014 workshop at the Next-Generation Security Summit, I had the privilege of leading a workshop for CISOs, which kicked off with the observation that in most organizations, the leaders of each business function are regularly asked to address some pretty basic questions with the C-level leadership:
- What services are being provided? (A question that is increasingly addressed by security-specific metrics and dashboards.)
- How much do these services cost? (A question that is addressed in the budgeting and resource allocation process and often supported by peer benchmarking.)
- What value do these services provide? (Unfortunately, a question with which most CISOs still struggle.)
What do you do? How much does it cost? What value does it provide? These are the ways CISOs can demonstrate that they are connected with, and important to, the organization they support. This is how CISOs can become — and remain — relevant, which should be their single most important focus.