I thought that by now, the CISO would sit beside the CFO and CEO at the boardroom table. Like the CFO, the CISO is a valued strategic contributor who plays a critical role in the company’s success, and is equally involved in day-to-day business decisions. Is it finally time?
The security industry has advocated for a seat at the executive table for at least the last decade. For all our talk, however, we haven’t made much progress. A CISO in the board room is still an odd occurrence. If we’re going to change that, CISOs need to change the way they think and interact with the business. They only have to look so far as the CFO to see how it’s done.
The CFO is a relatively new role. Even 30 years ago it was rare to find a company with a CFO. Fast forward to today and it’s rare to find a company without one. Not only do CFOs have a seat at the table, but they’re often on the succession plan for the CEO. The position has matured from being nonexistent to becoming a successor in three decades.
It’s easy to see the value of a CFO. They own the revenue piece of the company. But most importantly, they enable revenue to be articulated. The CFO has the benefit of dealing in dollars and cents—hard numbers. Modern software leverages Dow Jones Industrial-type charts that graphically portray projections and expectations for the sector. As a result, financials are clearly articulated for everyone to understand.
Therein lies the difference between the CFO and most CISOs: Whereas CFOs can articulate the current and future state of revenue in quantitative terms, most CISOs can only speak about risk in qualitative terms that lack context and metrics.
When asked about their company’s risk posture, many CISOs will provide a vague descriptor: high, medium, or low, or red, yellow, or green. These qualitative measurements mean nothing to the board. Furthermore, they don’t allow CISOs to articulate the quantitative impact of investments on risk. The CISO might tell the board the cyber risk level is yellow, and request $1 million to roll out patches. The board obviously wants to know what risk will look like after the roll out, but the best the CISO can do is say that it will still be yellow.
As long as security continues to operate based on qualitative metrics with no quantification, it won’t be perceived as a mature field. If you think about it, no other part of the business can get away with that. CISOs need to figure out a way to have a more mature conversation so that they can be more confident about how they describe and discuss risk.
One place to begin is by taking cyber risk and viewing the impact in terms of dollars. Risk itself can be a qualitative measure, but the impact around an incident—the cost of a downed asset from lost revenue, recovery, etc.—can be quantitative. The good news is, we already know those figures. The CISO just needs to take ownership of them.
Consider the cost of losing a data center. Security leaders typically quantify the value of the hardware and software in the data center, and perhaps the overtime required to bring the data center back online. The CISO tells the board that losing the data center will cost $1.5 million. But that number doesn’t take into account lost revenue as a result of not having the data center.
An incident that leads to two weeks of downtime can actually cost the company tens of millions, or hundreds of millions of dollars in lost business. That paints a very different picture.
You can’t own a problem if you don’t measure it. If you’re not measuring it, there’s no way to address it. However, once risk is actually being measured, real change can begin to occur in the company’s risk posture, because now CISOs can quantify the impact of the funds they request.
The security industry will grow in maturity when CISOs take ownership of what the business will suffer in the case of an incident and when they’ve quantified that impact. When security maturity grows, CISOs will get that coveted seat at the executive table.