PUTTING THE
‘CHIEF’ IN ‘CISO’
In a new era of destructive cyberthreats, CISOs have
the ultimate remit of protecting their organisations from
harm – but not all of those with the title are approaching
their responsibilities in the right way, argues Rick Holland,
VP Strategy and CISO, Digital Shadows. He offers his
recommendations for empowering CISOs and outlines the
major issues they need to be on top of right now.
W
e should all
applaud the fact
that the position of
Chief Information
Security Officer
has caught on in
recent years. It’s
made it clear where the buck for security
stops, instead of it being lumped in
under a generic IT director or CIO.
But all CISOs are not created equal
in my 20+ years’ experience of being
one and having advised them as a
security analyst for Forrester Research.
Sad to say, in many cases, there is
nothing ‘chief’ about them and they are
executives in title only. To be successful
and to be taken seriously by their other
c-level peers, Chief Information Security
Officers (CISOs) need a different
approach. Now that I am a CISO
myself and spend even more time with
my peers, I find that many CISOs are
actually ‘cISOs’. After years of seeking
to be elevated to the c-suite and get
72
in front of the board, now given the
opportunity, many CISOS are struggling
with the transition.
Combining my years of experience as an
industry analyst with my perspective as
a CISO, here are three recommendations
for empowering CISOs with a capital ‘C’.
1. Understand how your business
generates revenue. To operate as
an actual ‘chief’ you must spend time
talking to line-of-business leaders to
understand how your company truly
operates. With knowledge of how the
business generates revenue and the
people and technology involved, you can
model how insiders, external adversaries
and competitors might disrupt your
operations. You can then map out the
appropriate security controls to minimise
the implications and build resilience into
your programme.
2. Understand your business risks
and how to mitigate. If you work for
Rick Holland, VP Strategy and CISO,
Digital Shadows
a public company, take the time to
review your company’s annual report
to shareholders. Inside, you’ll find a
wide-ranging list of risks to the business
– from supply chains and weather to
geopolitics. Privately held companies
have a risk governance committee
maintaining a similar list. Even if cyber-
risk isn’t explicitly called out, a fully-
fledged CISO will take the time to
understand these business risks, map
them to the cyber-domain and then
determine how best to mitigate them.
3. Make the most of your board
presentation. As a member of the
c-suite, you now have an opportunity
to present to the board. You need to
understand what they want to know
and you need to communicate that
information effectively. As a first step,
Issue 06
|
www.intelligentciso.com