The Modern CISO
How big do you think the gap is between a typical CISO and their CEO?
Is that gap shrinking (as cyber security becomes more of an accepted and everyday business concept), or is it growing wider as scaremongers rush with overly-technical business cases and presentations that alienate board members?
Last month I met a Chief Information Security Officer who said he was working all hours, fighting a war on two fronts. Firstly, he was trying to overhaul the company’s IT and it’s defences, from scratch, having already spent several months getting around the entire business and identifying exactly what shape the IT estate was actually in. He said it had quickly became clear to him that the state of the company’s IT was very different to that presented to him initially, and he suspected that this was due to a mixture of uncertainty as well as self-preservation. Having got his head around what was actually where and doing what, he was now setting about fixing everything in the order of the greatest risk. He said he actually didn’t mind that things were more complicated than he first thought – in fact he thought of it as an exciting professional challenge.
However, he said there was another unexpected challenge that was proving just as tricky. The CEO had never once met the CISO.
I can’t reveal much about the organisation, but I can say that in this particular company the CISO reported to the CIO, who reported to the board. At this point a major change to a reporting structure was unlikely, so my client told me that he realised that if he didn’t get himself further on the board’s radar, that the information security function would always be fighting for time, resource allocation, and crucially, budget.
I was told that he decided to engineer some face-time with the CEO. He said that about a month after he started, a different company had been in the press for suffering a breach. A few days later the Financial Times had run a front-page article about cyber security, detailing how that breach had seen an immediate, significant fall in the share price of the affected firm. That same day the CISO knocked on the door at asked to introduce himself as the person responsible for day to day information security, and stayed for over an hour.
After this, my client said he was invited to nearly all CIO briefings to the board, which itself brought a new challenge: how do you present a largely technical subject such as cyber security, to a board who’s members each have significantly different levels of interest, technical understanding and responsibility? Frankly, he said, the first presentation was probably too technical. He had wanted to summarise a ‘where we are, where we should be‘ position, but in retrospect he he had probably included too much detail. He also said he had been surprised that most of the board didn’t seem to react very much when he explained some of the potential consequences of a breach.
Fortunately our client was able to change his approach to board presentations, taking into account each member’s background through careful research and offline discussions. One of the first things to disappear was the ream of technical data that he’d taken to that first meeting. The board was interested in business outcomes, risk exposure and investment value, and he said overnight his language needed to shift to become more commercial, and accessible.
This challenge of board-engagement had come up in conversation with 2-sec whilst discussing some penetration testing that we were due to carry out, and our client in this case had summarised by saying he now considers the communication of cyber security to the business, including senior executives, to be nearly as important as any technical responsibilities he has. We explained that an increasing number of 2-sec CISO clients were now enjoying much closer relationships with their board of their CEOs, but that there were not many that though there wasn’t at least a small gap left.