Connecting for Cybersecurity: Why CISOs Need to Get Out of Server Rooms and into Board Rooms

Years of recommendations, warnings and buzzwords are coming true, according to experts at the 2016 RSA Conference, held last week at the Moscone Center in San Francisco. The 25^th anniversary of the conference featured panels on talent fostering and education, technical skills and hacking, executive improvement, and the latest trends in threats, defenses and metrics. More than 40,000 attendees visited the conference this year for keynotes, product demos, tutorials, seminars and more – a record number, driven (say experts at RSA) by enterprises’ increased realization that cybersecurity is a business issue, not just an IT issue.

According to Scott Keoseyan, cyber threat intelligence leader for Deloitte, this shift is inherent even in the name of the department, saying that “InfoSec” is viewed as an IT problem, but “cybersecurity” is viewed, from the C-suite to the line-level employee, as a business problem.

Many of the panels, keynotes and Security editors’ conversations at the show revolved around the idea of how to advance a business-centric approach to cybersecurity, and it often hinged on one major area: the interpersonal skills of your security executive.

For example, Frank Kim (CISO for SANS Institute) presented a seminar on how to build the CISO role up as a security and business leader. There is still a disconnect between security and the business, he says, and CISOs can follow the following three steps to improve their business-minded approach to cybersecurity:

1. Build Your Business Case: Do not use a comparison of cybersecurity spending between your enterprise and your main competitors for your whole case for new cybersecurity investments, Kim says. Using a security framework (such as the NIST Cybersecurity Framework or something similar) can help to provide a blueprint for your enterprise’s cybersecurity investment and growth, and it can provide an easier comparison for enterprise leadership.
2. Focus on Your Relationships with Key Stakeholders: CEOs care about growth, CFOs care about cost, and CIOs want to ensure that products and services are delivered on time and without error. Frame your cybersecurity case to each office according to what their main goals are, says Kim. Stakeholders have three levels of power, he adds: Veto, Voice and Vote. Make sure you know who has which authority, and craft your messaging accordingly.
3. Master Your Messaging: Don’t ever just ask for the money. And the old “FUD” (Fear, Uncertainty, Doubt) method of explaining threats or solutions (“If we don’t buy XYZ, we could end up like so-and-so!”) is no longer as impactful as CISOs want it to be. Sell a vision on how the investment will enable you to solve business problems, says Kim.

A lot of this also involves getting to know your stakeholders personally. According to Dr. Christopher Pierson, CSO and GC for Viewpost, and Terry Ragsdale, CFO for the LSQ Funding Group, educating key stakeholders and partners can hinge on how you tailor your message to their knowledge base.  If your CFO is a smart home expert, working with IoT-connected thermostats and the like, use this information to frame the business’s IoT risks in context for him or her.

Talk about the impact, Pierson says; talk about risk, not security.

For example, if pitching a phishing campaign or control solution, help the CFO understand how a particular control will help the business – how much the risk could cost if unchecked, and how much the control will cost to protect the business against that risk, and what risk might still remain after the control is implemented.

Before pitching to your C-Suite, they say, look closely at internal documents – how does your CFO/CEO/CIO like to receive information? Charts, frameworks, financial data… determine which methods have been best received, and follow that presentation path.

CISOs need to frame cybersecurity as a business-enabling facet of the enterprise. While CISOs are traditionally rooted in the technical aspects of the job, the most successful cybersecurity leaders are those who know when to discuss the nitty-gritty of technology and when to focus on the broader picture. According to Tom Patterson, VP/GM Global Security Solutions for Unisys, executives who are classically trained in security but also understand technology, are advancing faster.

The C-suite doesn’t care about the technology aspects of a solution, he says, but they do want to know and understand the business aspects. The CISO reports into the Board, the CFO, the CEO… not just IT. Getting further ahead in the enterprise now will take CISOs educating themselves on different aspects of business – insurance, finance, operations – to get a better concept of what these departments’ risks and motivations are, so that cybersecurity can enable existing and incoming projects that fit within the spheres of those departments, Patterson says.