Historically, Chief Information Security Officers (CISOs) have been synonymous with helping to protect the enterprise and its information assets and to help mitigate organizational risk. But with CEOs and board members primarily focused on growing the business, CISOs are increasingly being looked upon to help strike a balance between growing the business and pushing digital strategies forward while protecting the organization.
According to a 2018 Accenture study, CISOs and security leaders typically are not involved when business units develop new products, services and processes – each of which entails some cyber risk. On the bright side, 38% of respondents to the Accenture study say the CISO is brought in before a new business is considered.
“The CISO’s job is to oversee and manage cyber risks of the organization,” said Matthew Rosenquist, Cybersecurity Strategist at Intel Corporation. “They play a crucial role in helping to determine the optimal level of risks that should be sought, advocating for the necessary support, and implementing effective controls to achieve the goals in the face of intelligent adversaries. It is a job of balancing risks, costs, and usability for a value-added benefit to the organization,” said Rosenquist, who will be speaking at HMG Strategy’s upcoming Silicon Valley CISO Executive Leadership Summit in Menlo Park on March 21.
For his part, Steven Booth, Chief Security Officer at FireEye, has had a few experiences in guiding business enablement as a security leader. “One of our business units came to me and they had just gotten to proof of concept with a new service but they hadn’t started writing code yet. They wanted to make sure they could do this project without any GDPR or privacy issues. That’s a great conversation to have as a CISO -- that’s the enablement and innovation side,” said Booth.
Booth will also be speaking at the upcoming Silicon Valley CISO Summit.
“The CISO needs to understand the business from A to Z,” said Jason Hengels, Founder of Exposure Security. “It's not a role that lends itself well to someone who just wants a job in the security space. To truly provide optimum value, the CISO needs to have a mind for business and must be able to understand the potential positive and negative impacts to the business that can occur due to their decisions.”
As a simple example, notes Hengels, anyone can say `If we have a 7-character minimum password policy on our website, we might get hacked and that's bad.’ “A good CISO needs to understand the potential revenue impact posed by making the password policy longer and the likely earnings impact if the business suffers a breach due to that particular issue,” said Hengels. “A CISO who can execute in that manner will make better decisions and their recommendations are more likely to be followed by management.”
Plus, as companies are increasingly ‘going digital’ and executives explore what this means for their business models and approaches to customer experience, planning for and embedding the right level of cyber security into digital transformation initiatives becomes critical, said Chad Kalmes, Vice President, Technical Operations at PagerDuty.
Kalmes, who is an advisory board member for the Silicon Valley CISO Summit, points to how cyber security has historically been approached as a bolt-on to pre-existing business processes. “A lot of that 'after-the-fact' approach honestly led to a great deal of user friction with initial security controls and projects,” said Kalmes. “Security programs and controls weren't often planned into the strategy from Day 1, so they generally wound up being less successful and more burdensome on the end user. With so many companies now re-thinking some of their core processes and approaches to how they re-invent and re-implement their strategies, and with growing trends like DevSecOps, CISOs have the opportunity to evaluate risks in conjunction with those changes and design the right kinds of preventative and detective controls along the way. That should lead to not only better risk reduction for the companies involved, but also a better and less obtrusive fit for end users and customers.”
In order for CISOs to make this pivot, they also must break free of the ‘Doctor No’ role.
“While the CIO role has matured, the CISO role is still relatively new and it needs to evolve from a technical role to more of a business role,” said Mark Egan, Partner, StrataFusion, who will also be speaking at the upcoming Silicon Valley CISO Summit. “Instead of being the person who says ‘You can’t do this’, the CISO needs to outline what the company needs to do from a security standpoint to help the organization reach its future state.”
To learn more about the Silicon Valley CISO Executive Leadership Summit and to register for the event, click here.