Over the past 18 months, there has been a bit of a sea change in the chief information security officer (CISO) role. Fundamentally, the CISO is the individual who is responsible for the protection of an entity’s information.
The US Securities and Exchange Commission (SEC) has issued a proposed rule change on cybersecurity risk management, strategy, governance, and incident response disclosure by public companies that requires publicly traded companies to provide evidence of the board’s oversight of cybersecurity risk.
Couple this with the former CSO of Uber being found guilty on charges of “obstruction of the proceedings of the Federal Trade Commission” and it is clear the hand at the helm must be able to navigate all types of seas in their entity’s political milieu. In this regard, the CISO needs to acquire political capital.
CISOs should not be intimidated by business politics
Perspectives have been previously shared on how the CISO must have a seat at the leadership table while others opine that is not required.
“Politics exist, but life would be better if it didn’t,” Rapid7 CSO Jaya Baloo tells CSO. She believes that CISOs should not be intimidated by the politics of a business but should rather “hold it in wonder and strive to understand.” The reality, she noted, is that in the realm of rapid response, engaging in politics is counterproductive.
She acknowledges that she has a seat at the table as the CSO and as part of her company’s audit committee. That said, to acquire resources, including funding from those who hold the purse strings, one must be able to talk in understandable terms and clearly “demonstrate value.”
To that end, she shared her Potential Harm of Security Incident Calculator, which she uses to document and quantify the value of incidents prevented. Baloo says she uses this calculator regularly: “Every time our SOC prevents an incident, it takes one to two minutes to put a monetary value on the incident using the calculator.”
The calculator measures six categories:
- The likelihood of such an incident occurring.
- The impact on publicity.
- The impact on service.
- The impact on privacy.
- The direct cost of repairs resulting from an incident.
- The severity of the incident.
Beware the ‘I need to report to the CEO’ instinct
Where a security leader sits in a company’s pecking order or to whom they report “is fundamentally irrelevant, because every organisation sees things differently,” according to John Stewart, president of Talons Ventures and a former chief security and trust officer at Cisco. “The relevant piece is access, support, authorities, and accountability,” Stewart tells CSO.
Stewart has cautioned CISOs many times to be careful of the “I need to report to the CEO to be effective” instinct. “That suggests either the business, the culture, or the individual are ineffective.” A more effective approach should be, according to Stewart: “I need access to the CEO with their support and a clear understanding of my responsibilities and authorities that is backed up with action.”
This is pretty much in line with the thinking of Malcolm Harkins, former CISO at Intel and other entities, who tells CSO that it is “unimportant” to whom an individual CISO reports. “The CISO is the one who should be responsible and accountable for mitigating risk,” he says. “To demand a seat at the table is not how one goes about business — earn that spot at the table, don’t demand it.”
Harkins says many CISOs don’t view risk as their responsibility, and that is not a productive line of thinking. “Business may own the risk decision, but the entire company owns the challenge of protecting and mitigating the identified risks which accompany a business decision. It is a dynamic state and not static.”
A CISO’s integrity matters most of all
There is no getting around the fact the position of the CISO comes with pressure, as articulated in a 2022 article by Harkins, “Integrity Matters,” in which he highlighted that cybersecurity professionals were considering quitting the industry due to stress. In addition, he noted in the same piece a survey he conducted in which 76% of technology leaders responded that they “have felt some sort of pressure, either self-imposed or initiated by others, to under-report the reality of a security risk.”
Harkins hits the nail on the head — integrity does matter and concluded his essay with: “We can eliminate most of the material risk exposure from cyber if we understand it, align on it, and hold ourselves accountable to managing it properly.”
With the sea changes occurring under our collective keel, CISOs must be prepared to enter the discussion and articulate the risk and mitigation strategies in business. They cannot lean on the complexity of their teams’ efforts to obfuscate; they must be clear precise and, above all, speak truth to power.