How big do you think the gap is between a typical CISO and their CEO?
Is that gap shrinking (asย cyber security becomes more of an accepted and everyday business concept), or is it growing wider asย scaremongers rush with overly-technical business cases and presentations that alienate board members?
Last monthย I met a Chief Information Security Officer who said he was working all hours, fighting a war on two fronts. Firstly, he was trying to overhaul the company's ITย and it's defences, from scratch,ย having already spent several months getting around the entire business and identifying exactly what shape the IT estate was actually in. He said it had quickly became clear to him that the state of the company's IT was very different to that presented to him initially, and he suspected that this was due to a mixture of uncertaintyย as well as self-preservation. Having got his head around what was actuallyย where and doing what, he was now setting aboutย fixing everything in the order of the greatest risk. He said he actually didn't mind that things were more complicated than he first thought – in fact heย thought of it as an exciting professional challenge.
However, he said there was another unexpected challengeย that was proving just as tricky. The CEO had never once met the CISO.
I can't revealย much about the organisation, but I can say that in this particular company the CISO reported to the CIO, who reported to the board. At this point a major change to a reporting structure was unlikely, so my client told me that he realised that if he didn't get himselfย further on the board's radar, that the informationย security function would always be fighting for time, resource allocation, and crucially, budget.
I was told that he decided to engineer some face-time with the CEO. He saidย that ย aboutย a month after he started, a different company had been in the press for suffering a breach. A few days later the Financial Times had run a front-page article about cyber security, detailing how that breachย had seen an immediate, significant fall in the share price of the affected firm. That same day the CISO knocked on the door at asked to introduce himself as the person responsible for ย day to day information security, and stayed for over an hour.
After this, my client said he was invited to nearly all CIO briefings to the board, which itself brought a new challenge: how do you presentย aย largely technical subject such asย cyber security, toย a board who's members each have significantly different levels of interest, technical understanding and responsibility? Frankly, he said,ย theย first presentation was probably too technical. He had wanted to summarise a ‘where we are, where we should be‘ position, butย in retrospect he ย he had probably included too much detail. He also said he had been surprised that most of the board didn't seem to reactย very much when he explained some of the potential consequences of a breach.
Fortunately our client was able to changeย his approach to board presentations, taking into account each member's backgroundย throughย careful research and offline discussions. One of the first things to disappear was the ream of technical data that he'd taken to that first meeting. The board was interested in business outcomes, risk exposure and investment value, and he said overnight his language needed to shift to become more commercial, and accessible.
This challenge of board-engagement had come up in conversation withย 2-secย whilst discussing some penetration testing that we were due to carry out, and our client in this case had summarised by saying he now considers the communication of cyber security to the business, including senior executives, to be nearly as important as any technical responsibilities he has. We explained that an increasing number ofย 2-secย CISO clientsย were now enjoying much closer relationships with their board of their CEOs, but that there were not many that though there wasn't at least a small gap left.
2-sec is a leading provider of security consulting services. These include penetration testing, PCI DSS, Cyber Essentials, PA DSS, virtual CISO and training & awareness.