In recent years, as enterprise security has captured the interest and attention of the CEO and the Board of Directors, the role of the CISO has continued to evolve and become ever-more strategic. Case in point: More than 9 out of 10 (91%) of enterprise-wide digital transformation initiatives include security and/or privacy personnel as stakeholders, according to PwC’s 2018 Digital Trust Insights Report.
HMG Strategy recently caught up with Gary Hayslip, Vice President and Chief Information Security Officer at Webroot and an Advisory Board member for the 2019 CIO Summit of America taking place on March 27 at the Grand Hyatt New York to get his take on the CISO’s role in enabling the enterprise to reach its future-state goals.
HMG Strategy: What should be the CISO’s role in helping the enterprise to reach its future-state objectives?
Gary Hayslip: Much of the CISO’s role is understanding the businesses-critical operations and assets and the risks to them. With this information, the CISO then reorients their security program to protect these critical assets while working with the executive team and peers in the other business units to help them understand the organization’s overall level of risk maturity and providing alternatives to mitigating any discovered risk exposures.
I have always felt cybersecurity is a discipline of multiple skills, knowledge tracks and soft skills that mature in an executive to manage enterprise risk.
What are some ways in which the CISO can help the enterprise strike a balance between driving innovation and pushing ahead on new business opportunities while protecting the enterprise?
GH: I believe the CISO’s responsibility is focused on assisting the business with conducting Business Impact Assessments (BIA) so the organization understands where its risks are and what critical assets are needed to survive as a company. Then, with this information, the CISO can select a risk management framework that meets the needs of the business to map out and implement security controls that allow the security program to monitor and remediate risks while the organization pushes forward with new innovative ideas to stay competitive within their chosen marketplace.
One point that is critical here is once the CISO puts this framework and security controls in place, they have initiated a continuous lifecycle of risk management that the business must be prepared to support.
Can you offer some recommendations on effective approaches for CISOs to communicate and engage effectively with the CEO and the Board of Directors?
GH: I have found from experience when speaking with the CEO and board that it’s best not to go in with a story of the sky is falling and there is doom and gloom everywhere. They are intelligent people who hear about breaches and the latest cyber-criminal issues in the news, so it’s best not to repeat the same stuff but talk about security and the value it is currently bringing to the organization.
I look at cybersecurity as a service focused on managing enterprise risk for the business. Cyber is not going to be a revenue-generating business unit, but if done right and supported by the company cybersecurity can be a revenue-enhancing business unit.
How I tell this story is I complete an internal assessment to establish my organization's risk maturity level. After the assessment is complete, I ask my peers from the other business units to help me prioritize my list of findings and then present the findings to the CEO and executive team. Along with this presentation, I lay out a strategic plan on how we will remediate these issues over a specific period (1-to-3 years). Part of this discussion will be explaining new services our revenue teams can take advantage of as we remediate these risks and possibly third-party certifications (PCI, HIPAA, NIST, ISO) we can take advantage of to differentiate the business from competitors and enable Sales and Marketing to share how we are a mature business that is trusted with our customers’ data.
Once I have this plan in play, I develop metrics to measure our maturity as we move forward with projects and initiatives. I use these metrics to help the CEO and board see the value they are receiving for their investment into my security program.
What are some ways in which CISOs can help to foster a culture of customer-centricity within the company, not only with their direct reports but across the enterprise?
GH: To me, this is an issue of visibility and business culture. One of the first issues around culture that I as a CISO must manage is getting my teams to understand that our cybersecurity department is a customer service-oriented department. We as security professionals are there to serve our employees and to do this effectively; employees need to know who we are, what services we provide, and how to contact us.
To provide visibility into what value a security program provides the business and help that program get accepted by the current business culture, I believe it’s important for employees and peers to understand what the CISO and teams do daily and what projects are currently in play.
In the past, I have done this with lunch-and-learns where employees would have lunch with the security teams and meet team members. Each team member would brief the employees on the technologies and projects they were working on and the CISO would brief employees on the strategic plan and current projects that require employee volunteers to help test and vet technologies.
Getting employees involved, getting the teams to be visible to their customers, and evangelizing in plain English the projects and initiatives security is working on goes a long way in building trust between employees and the CISO. I continually find after having done this in four CISO roles that being visible, honest, and providing good customer service goes a long way in getting cybersecurity accepted as part of the businesses daily organizational culture.
To learn more about the 2019 CIO Summit of America and to register for the event, click here.