Being a CISO is like being a wildland firefighter surrounded by arsonists. This stark reality is compounded by internal politics within the  IT department.  In the absence of greater authorities, internally it can feel like you are climbing a mountain on a daily basis. CISO’s who care deeply about their organization’s security are still marginalized due to a failure in corporate governance. The constant fight for resources and authorities within in an organization is due to an outdated reporting structure wherein the majority of CISO’s report to the CIO.

Defensive coordinators shouldn’t report to offensive coordinators.

In 2021 cyber cartels are hijacking the digital transformation of corporations and escalating intrusions by leveraging destructive attacks. The global insurgency underscores the immediate need for CISOs to be empowered.

Here is a ten-step strategy to bolster and strengthen your position as CISO:

  1. Learn the business of your organization and translate cyber risk to business risk.
  2. Befriend your General Counsel and explain how cybersecurity is a “duty of loyalty”. Explain why worst case scenario has changed to the digital transformation that will be hijacked and used to attack our customers and partners.
  3. Consolidate your security tools and ensure they are integrated.
  4. Decrease dwell time and raise Board awareness by conducting weekly threat hunts.
  5. Join the Advisory Board of your top two security vendors and influence their designs.
  6. Write monthly concise reports for your Board which include imagery.
  7. Bring in external cyberthreat experts to brief your Board on industry specific cyber-attack campaigns on a quarterly basis.
  8. Participate in your regional cyber fraud taskforce.
  9. If you don’t have the personnel or capacity to manifest your security vision, hire an MDR firm who specializes in your industry.
  10. Speak at the major cybersecurity conferences and develop your personal brand.

These ten tactics will empower you. Cybersecurity can no longer be viewed as an expense but rather a functionality of conducting business. This is about brand protection. I hope this is the beginning of a historic journey for the CISO community.

“Not all the armies of the history of the world can stop an idea whose time has come.” – Victor Hugo.

@TAKellermann