The chief information security officer (CISO) has always been a unique position. While it has “chief” in the title, it isn’t always considered part of the C-suite, making its position in the corporate hierarchy somewhat murky. Sometimes it reports to the chief technology officer (CTO), other times to the chief information officer (CIO) — or even the chief financial officer (CFO). Just about every organization has a CISO these days, but where the CISO fits into the reporting structure can vary widely from company to company. This isn’t necessarily a problem — organizations should focus on creating a reporting structure that works for them — but lack of structure can create a messy and confusing hierarchy.
What really matters is ensuring that there is regular communication and collaboration between the CISO and other organizational leaders. Information security touches every area of the business, which means security leaders need to be an integral part of any significant decision-making process. The CISO cannot be a siloed position. Building a culture of security and transparency is critical, and fostering collaboration between the CISO and the C-suite can help organizations meet today’s most pressing security and compliance challenges — all while further enabling the business.
Security cannot be an afterthought for leadership
How a business’s leaders view security can make or break a CISO — and those interviewing for a CISO position should prioritize gauging their interest level. If a CISO never meets with the C-Suite during the interview process, that’s a major red flag. If nothing else, a potential CISO should certainly be interviewing with the CTO and CIO — and possibly the legal department as well. If none of those people are interested in meeting with CISO candidates, it diminishes the importance of security within the organization as a whole. Convincing leadership to invest in security will almost certainly be an uphill battle, and it will be difficult for the CISO to work with stakeholders throughout the corporate structure if they are marginalized before they even begin.
The tone at the top sets an example for the rest of the organization, and it’s important to ensure that security is baked into the company culture. Rather than keeping the CISO at arm’s length, organizational leaders should prioritize security in their own messaging, emphasizing the importance of cyber hygiene and other best practices. It’s easy to ignore security updates if they only ever come from the CISO — but when the CEO echoes that same messaging, it makes it clear that security is a focus for the entire organization. That type of coordination requires open lines of communication. The CISO needs to feel comfortable approaching the C-suite with concerns, and the C-Suite needs to demonstrate that they will act appropriately in response to the CISO’s input and provide the resources and support needed.
That also means it’s important to involve the CISO when making key decisions. If an organization is considering whether to start a new service line, develop a new product offering, or acquire a new company, the CISO should be involved in those conversations from an early stage. Bringing the CISO into the fold when an acquisition has already been in motion for six months isn’t helpful to anyone — the CISO may have privacy or security concerns the C-suite hasn’t thought about, but it may be too late to address them. It’s much easier to address security and compliance challenges during the preliminary stages than it is to attempt to remediate them after the fact, and involving the CISO early can prevent any nasty surprises down the road.
CISOs need to speak the language of business
Communication isn’t a one-way street, and it’s also important for the CISO to speak the language of the C-suite. Security needs can be difficult to quantify, but regulations and compliance standards can help security teams frame their needs in an understandable way. That said, compliance is very focused on specific frameworks, and explaining the details of SOC 2 reporting or the finer points of GDPR enforcement is unlikely to resonate with business leaders. Instead, CISOs can focus on security and compliance as business enablers and quantify risk by how it would impact business operations.
Potential partners and customers want to know that their data is in good hands, and organizations that cannot produce the necessary certifications and attestations to prove that their security systems are up to the challenge will be at a significant disadvantage. An effective CISO working across departments should be able to illustrate this point easily: if the organization has 10 prospects asking for a SOC 2 report that it cannot produce, that represents 10 new business opportunities lost. That lost revenue adds up quickly, and organizational leaders will take notice quickly if the CISO can make it clear that deprioritizing security and compliance is impacting their bottom line in a quantifiable way.
This same approach can be applied to risk assessment in general. Business leaders care primarily about costs and expenses and the CISO can make communication easier by focusing on metrics like “return on control” (ROC). That means being able to clearly explain how much a security costs and how much it impacts organizational risk. For instance, it can be incredibly valuable to show how much a certain type of breach would cost juxtaposed with how much a new solution would decrease the likelihood of that breach. Concrete numbers make it much easier to generate buy-in from leadership, and quantitative risk assessments can help demonstrate to the C-suite that the CISO understands their perspective as well.
Strong security requires collaboration and cooperation
Collaboration between the CISO and other business leaders is critical, and it starts with building a culture of security. If company leadership views security and compliance as a cost center rather than a business enabler, it’s going to be very difficult to get them to invest in security. But when leadership recognizes the importance of security and the CISO can speak the language of business, it fosters a sense of cooperation that sets the tone for the entire organization. Security and compliance can be valuable business enablers, but acting on that knowledge requires the CISO and the C-suite to work across traditional reporting structures and focus on meeting the needs of the organization.