Over recent weeks, I have had some great conversations with colleagues Tom Kellermann, Rick McElroy & Karen Worstell on my favorite topic, cybersecurity. I am fortunate to have been involved in the industry way before it was trendy, as an architect, consultant, CISO, and now a thought leader. Today, I want to help you secure your executives’ buy-in with advice that works from my own experience and those of my industry colleagues.
We have all seen our fair share of fear, uncertainty, and doubt (FUD) for those in the cyber industry to motivate everyone to act. That has worked in the past, but not now. In the business environment, we spend a lot of time and energy battling to get resources and budgets, let alone organizational and executive support for our security program. This has led the cybersecurity industry to rely on fear-based campaigns to get executive support. Unless they invest now, breaches will occur because of cyber gangs, cartels, nation-state actors, and lone wolves. Sound familiar? While the cyber actors are formidable, with budgets and resources bigger than ours, we all know that a good old “scare campaign” can get you what you need. Is there a better way? The shift from angst to assurance builds longer-term confidence and trust.
What is the perfect storm for a CISO to get their budget and resources? The answer is inevitable. A minor data breach that bruises the organization into action. The consequence of creating excessive cyber angst is that you will, over time, diminish your credibility as a CISO. This is because people are tired of fearmongering and lose confidence in you as unnecessarily emotional and lacking business maturity.
Here are four things you can do to move away from angst and establish assurance with your executive that cybersecurity is a good business enabler.
1. Educate Your Board and C-Suite on Cybersecurity
One of the primary responsibilities of the CISO is to teach. This responsibility is paramount to the success of their role. The CISO needs direct access to the Board, CEO, and every member of the executive team, irrespective of the organizational reporting line. To do so, they need independence in conversation, reporting, and advice to discharge their responsibilities. Hence, the “I” in the title CISO could also mean Independence or Influence, not just Information.
One of the highlights of my career was having in-depth conversations with the executive on security, covering what is cybersecurity, exploring actual risks to our business, the likelihood of these, and the journey required to secure the business for growth better. A good CISO is a storyteller, educator, motivator, evangelist, and savvy business leader. When the Board and C-Suite are educated, they are empowered, and they will trust you more. Education immunizes angst.
2. Establish an Enterprise Cyber Risk Appetite
A vital responsibility of the Board is to establish organizational risk appetite, including the domain of cybersecurity. The Australian Institute of Company Directors summarizes the role of the Board well:
“Directors should treat their organisation’s online assets with the same level of care and attention that they pay to their organization’s real-world assets. Both are inextricably linked. Boards must use the same oversight that has applied to financial reporting and governance issues and apply it to how their organisation is effectively managing valuable data.”
To do so, the CISO needs to carefully explain the cybersecurity risks of the organization and likely impacts on brand, regulatory compliance, financial loss, and IP. In doing so, the CISO needs to have an open dialogue with the Board on the likely year-on-year cost of building the cybersecurity capabilities to the level required by the Board. That way, the Board can decide how secure they wish the organization to be, with a clear understanding of the journey required and likely costs. With the Board owning and directing the level of cyber maturity required, this empowerment will drive their desire to engage in mature cyber conversations.
Table 1.0 Sample Cyber Risk Appetite
3. Align Organizational KPIs to Cybersecurity Capabilities
One of the biggest challenges for the CISO is to show value for money. I know first-hand how hard it is to demonstrate you stopped something terrible from occurring before it happened. An effective security capability thwarts attempted incursions, and proving what may have happened, had you not done your job is hard.
So how can a CISO build credibility and trust with their executives on the value of a cyber investment? One way is to align your cybersecurity capabilities with organizational KPIs and report on this. For example, rather than talking about your latest secure containerization, talk about how you have built resilience into the eCommerce platform and stayed online during a recent attack, allowing the business to run.
Executives like metrics, and the better you can use organizational metrics in your reporting, the better level of trust you will develop. How do you map corporate KPIs to Cyber KPIs? The correct path is to map organizational KPIs to organizational capabilities, then organizational capabilities to cyber controls and cyber controls to cyber solutions. By mapping these, executives feel comfortable and engaged and see where cybersecurity will help the business succeed.
4. Report on What Matters
CISOs are great at reporting what they stopped, but how about what they achieved? There is often a disconnection between the cyber team and the executive team. The executive team doesn’t need meaningless technical stats; instead, they want to know how you are tracking and delivering meaningful outcomes. They want to know how mature the cyber capability is and where it will be next year. They want to know what cyber improvements have been implemented and how this benefits the business. They want assurance around compliance and good practice. And finally, they want to know what others are doing and are you in at pace, behind, or in front of the cyber capabilities of peers.
Moving from angst to assurance takes time, honest conversation, and joint responsibility. It requires you to educate the business to embrace cybersecurity as a business enabler and not an IT function. To do so, the CISO needs to be in the business as a great influencer, communicator, and activator of business-aligned cyber maturity. I wish every CISO success in their cyber journey.