Empowering the CISO
November 12, 2014
A security-focused business culture can empower the CISO to effectively perform their job, and allow them to become a respected member of the “C” level. As a result, they are able to implement a business-aligned security program that brings real value to the company.
A successful security program will contribute to revenue. It will enable business efficiency and capabilities through process improvements, ultimately enhancing output and topline.
An effective security program also builds brand name confidence, another revenue driver. Customers are becoming more savvy buyers and a well-articulated security program can make the difference in obtaining new customers. When a major breach occurs, customer confidence drops significantly and customers look for alternative places to conduct business. A business-aligned security program helps mitigate the risk of this happening, as retention of customers is extremely important to the executive team.
It may be more difficult in some industry sectors to understand how a security program contributes to revenue, but believe me it does! It is the job of an effective CISO to understand and articulate these contributions; it just may take a little more thought.
Positively Contribute to EBITDA
An effective security program will also positively contribute to bottom-line EBITDA and not just an expense line. For example, if security failure does occur, having a proper security program in place will significantly lessen the overall impact because your organization will be prepared with an incident response plan. This minimizes the cost of the breach and reduces operating expenses related to security failure.
A successful security program is also linked to the organization’s business strategies and is designed to defend against the real risks to the business. This focus reduces the need to put high protection on unimportant information, thereby reducing long-term costs of the information security program due to efficiency.
Another way a business-aligned security program can positively contribute to EBITDA is by circumventing costs of regulatory non-compliance. When a security breach occurs, it can have significant legal and regulatory costs. This impact to the organization will last for years and add to the overall operating cost of the company. An effective security program mitigates the risk of breach.
Become a Respected Member of the Executive Team
Having a business-aligned security program in place is only part of the job. The CISO must also learn to articulate their security plan, and the value it brings, in terms of benefits to the business in order to become a respected member of the executive team. They should keep in touch with what is going on in the industry and within the business, and be able to talk about how it ties back to the security program and aligns to the business.
And don’t underestimate the importance of learning to talk-the-talk and walk-the-walk.
For example, one CISO I was working with who was struggling with acceptance in the executive team got up from our conversation to head to his executive meeting. He was walking out the door with his iPad when I asked, “Do the other executives usually have iPads at the meeting?” He said, “No, they bring notebooks.” I gave him advice to put the iPad down and take a notebook.
This is just a simple illustration of how it is important to be seen as a fellow executive, and not just a technical resource. If the other executives were using iPads, then it would have been okay for him to do so, but that wasn’t the case. It may seem petty, but learning to speak and act like an executive will allow you to gain acceptance more quickly.
In order to become a recognized and respected member of the executive team, act like one. Understand how your efforts contribute to the overall success of the organization and articulate those contributions in terms that are in alignment with the other members of the executive team.
A company that has an empowered CISO who is able to implement a business-aligned information security program, and who is a respected member of the executive team, can expect to experience enhanced security, process improvements, effective compliance, and create an environment that allows “ease of doing business.”