CISOs & the C-Suite - seeing eye to eye
Every business will run into difficulties when it comes to teams communicating with one another or teams communicating with senior management.
From not seeing eye-to-eye on specific tasks which are business critical to using jargon and language which can make management feel out of control or even depth in dealing with the issues, this can be a common business issue.
Of course, when it comes to security and cyber security in particular, this can often be the case simply due to the nature of the work. Being able to integrate cyber security into a business and make senior leaders understand why it is essential is critical in today’s fast paced world.
In this article you will learn about the kinds of issues between CISOs and the C-Suite and how to improve working relationships between the two.
Problems Between CISOs and the C-Suite
It’s no surprise that the last 20+ months have been challenging for businesses and the pandemic showed that we had to find different ways of working in order to stay alive and competitive in their marketplace.
CISOs faced a double whammy of issues in that same period, with the majority of people having to work from home posing a massive security challenge and an increase in ransomware and malware attacks which spiked in late 2020 and throughout 2021.
However, getting the C-Suite/Board to see the issues at the same level of concern was one of the biggest challenges and remains so to this day. They have different operational concerns which, over a period of time, can cause internal disputes and tension between the two teams.
Therefore it has become even more necessary for the CISOs to gain the board’s trust. Getting them to see the seriousness of the issues but also getting buy-in when it comes to dealing with security measures.
These are just some of the issues that CISOs and C-Suite have faced;
- CISOs need to move beyond the technical aspects of their role to understand the c-suite priorities and assist with the overall organisation’s strategy.
- CISOs need to gain trust from the board.
- C-suite / board needs to understand what the CISO is asking for and what’s required from them (the board).
- In many organisations the board/executive management team has no “comprehensive understanding of information security to fully evaluate cyber risks and preventive measures” - proposed by CISOs.
- Very few organisations (around 18%) make information security a strategic agenda item. And over 50% state that security only influences business strategy “somewhat” or not at all.
- C-suite / board don’t always understand or appreciate what CISO’s present to them.
- Often due to highly technical presentations
- Or presentations that don’t adequately highlight security risks and the impact they can have.
- C-suite / board members are often not adequately educated or up to date on security topics.
- CISOs may not be directly presenting to the board - which isn’t good.
- CISOs should present to boards regularly and often - at least once a year.
- Security concerns and challenges raised by CISOs are not always being adequately discussed by executives.
- C-suite / board members can sometimes focus on the wrong evaluation and status metrics.
- CISOs are not always being involved in business strategy discussions early enough.
How to Improve Working Relationships Between CISOs and the C-Suite
Whilst all of these challenges can make for a protracted business relationship, there are many methods and ways which can be used to overcome these challenges fixing them to the benefit of the organisations involved.
Here’s a few ideas on how to better develop the relationship between CISOs and their c-suites / board members - and foster trust.
Communicate clearly and effectively
- As with any presentation or meeting, knowing your audience - in this case the C-Suite - and so tailoring how information is presented and tailoring communications to meet their needs is essential.
- Presentations need to be less technical. Remove things like jargon or key phrases which can confuse the audience. Use the KISS system if required - you are communicating with an audience who doesn’t understand your work in most cases so make it as simple as possible.
Set realistic expectations
- CISOs need to make certain the c-suite / board fully understands security risks and what’s needed to mitigate them.
- Think about how you would explain this to someone in the street - and why it’s important.
- The c-suite / board needs to realistically recognise that security breaches are a business reality.
- CISOs need to convey risk metrics such that they can be fully understood and appreciated by executives.
Use relevant metrics
- If there is one thing that can confuse the board or cause tension is when the metrics used to communicate with the board make little to no sense.
- A common metric - understood by most board members is - cost. This is one of the most important metrics if not the most important metric to the CFOs as it can influence business decisions across the board.
- Different metrics / reporting would apply to various department heads, for example;
- HR - likely to be highly concerned with personal data security
- Finance - want to ensure their systems and processes are secure
- Production - need to ensure continuity and profitability.
Make cyber business integration a priority
- As previously noted - a significant proportion of existing organisations are continuing to almost ignore information and cyber security in their business strategy deliberations.
- If there is a lack of an integrated approach, then both the CISOs and C-Suite work is compromised.
- Therefore it is a key challenge for many CISOs to make cyber business integration a priority.
Collaborate with the CFO more closely
- The CFO approves the budget with all the departments which is why CISOs need to develop a better relationship with this particular department.
- It can be more difficult to get the CFO to pass on the cost for security related resources than it is the CEO.
- Providing data for the last 12-18 months of issues and then showing what a cost strategy would look like to avoid having these issues again is a wise move as CFOs want to work with hard data.
- The CISO and CFO can construct a plan for the coming fiscal year using this information. Regular assessments can ensure that there are no unpleasant shocks when the next budget proposal arrives.
Every business will run into difficulties when it comes to teams communicating with one another or teams communicating with senior management. Getting CISOs to communicate better with the C-Suite/Board is based on some basic principles. These include communicating in more simple terms, developing relationships with CFOs and building trust with the board as part of an integrated strategy into cyber security across the business.