Cybersecurity was a primary focus by President Obama in this week’s State of the Union address. In the wake of the Sony hack, and the seemingly endless stream of massive data breaches, though, it seems that security is finally getting more attention from both the government and the companies that are under attack. That means the CISO needs to have a seat at the table, and help drive the security strategy.
Whether it’s a Chief Information Security Officer (CISO) or just a Chief Security Officer (CSO), the “Chief” part implies that the position is an upper-level executive role. It should be expected that the CISO be a part of boardroom discussions—both so that the board and the rest of the executive management team knows where things stand from a risk perspective, and so that the CISO is part of the conversation as it relates to business goals.
I spoke with CEOs from a number of security vendors to talk about the importance of the CISO role, and the need for security to augment and facilitate rather than obstruct and impede the natural flow of business. Ultimately, the CISO is the person responsible for ensuring the security of the company data, as well as the data of its customers.
“Participating in boardroom discussions prepares the CISO to provide vital information and insights that the board would not have otherwise. Most executives have business, operational, and financial acumen, but history shows us that boards and executives are not typically fluent in matters of information security risk,” explained Jeremiah Grossman, founder and CEO, WhiteHat Security. “By including a trusted advisor focused on information security, the board will have the resources to navigate regulatory requirements for Payment Card Industry Data Security Standards (PCI DSS) compliance, Federal Financial Institutions Examination Council (FFIEC) assessments, and/or potential Security Exchange Commission (SEC) disclosures.”
Casey Ellis, co-founder and CEO of Bugcrowd, suggested, “It’s imperative that CISOs actively participate in boardroom activities in 2015 and beyond in order to help convince decision makers, and everyone downstream, that “The Bogeyman” is real, to help them understand their security options, and to build metrics to keep them accountable. After all, the most security aware a company will ever be is immediately after a breach.”
The burden as well as the value of having the CISO engaged in the boardroom belong to both the CISO and the board itself. “As stewards of the companies they serve, board members have to be actively involved in protecting all aspects of a brand through smart risk management decisions and intelligent security investments. Who better to educate the board on the cyber security issues facing the business than the CISO?” asked Anthony Bettencourt, President and CEO of Imperva. “While board members represent a cross-section of experience and industries, the CISO has been focused on the security threats, trends, issues, regulations, products and services related to the business. It’s a win-win to invite the CISO into the boardroom.”
Attacks are happening daily, driven by a well-established, organized-crime ecosystem and nation-states, using increasingly subtle and hard-to-detect approaches that leverage existing social media and email communications mechanisms. Security has a crucial and direct impact on shareholder value. The board has a fiduciary obligation to protect shareholder value, so the board needs to take security seriously.
“It has been demonstrated repeatedly worldwide that breaches are hugely costly and can jeopardize a company’s reputation, brand equity and ultimately their bottom line,” said Gary Steele, CEO of Proofpoint. “When all it takes is one successful attack to bring down a brand that was a century or more in the making, clearly the CISO should be an active participant in board room discussions.”
JJ Thompson, managing director and CEO of Rook Security, stressed that it’s not enough for the CISO to take direction from the board, or for the board to communicate with the CISO—they need to engage face to face. “It’s critically important that the CISO can watch body language, posture, and receive unfiltered guidance from the board, as it is important for the board to receive the same from the CISO.”
The CISO needs to learn to speak business, and the board needs to learn to understand security. According to Thompson, “The challenge is that most CISOs are still learning how to deal with board room interactions and have limited business and executive experience. This is where CIOs and board members need to work closely with the CISO to coach them to enable them to successfully protect the business.”
Mark McLaughlin, Chairman, President, and CEO of Palo Alto Networks agreed. “As the idea of the role matures, it is clear that this is not purely a technical role any more. Instead, the CISO must align Information Security at the organization with business objectives to help the company achieve its growth plans and protect its critical assets. Explaining how that is done to the board is essential to ensuring that alignment stays on track.”
“Routinely reporting to the board ensures that CISOs develop strategic plans that align with business needs, keeping them out of tactical crisis response mode,” added McLaughlin.
“For many CISOs, their first interaction with their corporate board will be to brief them about a devastating breach that results in serious financial impact and immeasurable damage to their brand,” cautioned Kevin Hickey, President and CEO of BeyondTrust. “It is critical early on that CISOs are part of board level discussions so that both board members and CISOs can have a shared understanding of the organization’s current risk level and areas that must be improved.”
Grossman summed it up nicely. “No CEO worth their salt would state, “I don¹t need to know the state of my financials.” We need to get to a point where CEOs place the same value on knowing the organization’s security and risk posture. Having the CISO participate in boardroom discussions is analogous to the COO and CFO each bringing their unique perspective of the business to bear in business strategy and decision-making.”
This article was written by Tony Bradley from Forbes and was legally licensed through the NewsCred publisher network.