We cannot deny the fact: present-day security is about business, not technology. Given skyrocketing cybercrimes, their cost to the business of any scope across various industries, a shift to security-minded corporate culture was more than necessary - it was urgent.
The IT security function left a cost area for the revenue area with CISO being engaged in securing brand reputation and credibility. The shift was colossal and valuable for the entire business ecosystem, but let us be honest and answer the question: are CISOs accepted as the full-fledged members of C-level? Not really.
In practice, the transition of CISOs to the C-level is a bumpy ride, thorny path — whatever you call it, it is anything but smooth. The process of integration stumbles upon an array of obstacles that boil down to one serious problem — communication. The present state of the organizational structure is the Tower of Babel where everyone speaks own language. As per Deloitte CISO Labs report, 90% of CISOs aspire to improved strategic alignment between business and security, and 46% feel this alignment will not be achieved.
The unity and move toward the common objective which is business security depends on a seamless circulation of information across levels. It requires not only the adjustment of business processes but also changes in minds and perceptions.
Roots of the disconnect
Perceptions at the executive level appear to be extremely hard to change. For years CISOs were viewed as tech champs dealing with software, compliance-related issues, and architecture of the network security — quite a narrow perspective. Those were notorious ‘NO people’ rejecting business risks they considered as minor.
Past practice shaped the entrenched image of CISOs within the conscience of business units as policemen and now under current circumstances, they have to be partners. This cognition is impeding healthy organizational process where everyone is on the same page in regards to business vulnerabilities.
Integration of the CISO in the C-level breaks down into specific areas which many companies seem to fail at. The new organizational chart implies new subordination, and almost half of the businesses have the old reporting system: their CISOs still report to CIO instead of CEO. Hurdle en route to integration also stems from inherent interest conflict between the two: while CIO tries to cut the costs, CISO insists on additional investment for the sake of security improvement.
While the role of CISO for the company is pretty clear, the organizational structure lacks the same clarity in terms of defining the place within the board.
Another aspect of the issue is that CISOs face difficulties in finding the proper language to state their cases, articulate cybersecurity priorities, decisions and accomplishments in front of the executives.
The choice of the CISO’s language influences the executive’s ability to heed the threat and its cost for the company. Speaking geek jargon and expressing concerns in terms of metrics rather than use cases is inappropriate for business decision-maker and a strategic player. Business-specific, bottom-line communication meant to convince and influence is built upon certain mechanisms inserted in business routine.
How to bridge the gap technically
All efforts must be focused on creating the environment of learning, support, and acceptance where everyone shares ownership and appetite for cyber risk.
While working on transformations inside HackenProof, we realized the importance of support and mutual inspiration: emotional constituent can drive behavior changes and ultimately — change the culture within the company. The cybersecurity values and guidelines must be written on paper. It is the very first stage where cybersecurity as one of the business priorities is manifested.
Having mentorship programs and group learning initiatives in place will allow the executive to share their expertise, insights, and challenges they had faced earlier.
Top management creates an atmosphere where CISOs learn the language of money and figures. Cybersecurity must be discussed during every board meeting where CISOs make their presentations.
Speaking the language of money means binding the risk to time — pinpointing the remuneration cost at various stages of the development cycle. The synchronization between the two dimensions requires much assistance from the executives and diplomacy from the CISOs, and they both must learn how to listen to each other with an open mind.