A CISO’s guide to the CEO’s difficult questions18 August 2018
It’s a scenario we’re all familiar with: “Good morning, Mr Bailey, please take a seat. The interview will start now.” And although confident I have researched and prepared well, I know some searching questions are coming my way. But I also have a few of my own. After all, a job interview is a two-way street.
And the CISO-CEO relationship today is much the same.
The CISO and the CEO
Over the last ten years the CISO role has both evolved and matured. ‘Evolved’ in the sense that today’s CISO has moved from the tactical (managing the detail of devices, vulnerabilities and access) to the strategic – working across the business, deepening organisational understanding of cyber risks and building in the resilience needed for when risk becomes reality.
It has ‘matured’ because the position now demands that the incumbent hold their own at C-level. In fact, for those organisations approaching the pinnacle of information security governance, the CISO can even be found sitting at the boardroom table.
Information security is no longer an issue for the CISO alone. With ‘digital’ as much the lifeblood of the business as finance, securing that domain is of increasing concern for the board. As a result, CEOs are now, quite rightly, asking their CISOs some testing questions:
- Are we secure?
- What strategies have you developed for dealing with an incident?
- What metrics do you use to measure security effectiveness?
- Is this worth the investment?
Given this, what qualities does today’s CISO need, not only to answer these questions (and other such zingers) but to turn them to their advantage?
Qualities of a CISO
Know your risk
If risk management isn’t a core strength, you need to either politely make your excuses and leave, or quickly develop a risk-based approach. Why? Because risk management is the key to communicating with the CEO.
Move away from qualitative risk assessment (what does ‘amber risk status’ mean anyway?) and follow the CFO’s lead of displaying your wares in hard currency. Connect impacts of security threats to potential business failures. Use metrics that resonate with the CEO and speak their everyday terms – financial, productivity and market share. Make sure you pass the “What does this mean for our revenue/production/profit?” test.
For example – You make one unit every 90 seconds. An incident last month resulted in three hours’ downtime. Point out the proposed new system would have prevented the incident and saved 120 lost units. Now the CEO is listening.
Understand your organisation
The CISO has moved from a perceived ‘Business Prevention Officer’ to a business enabler, who thoroughly understands not only the organisation but how to play their part in taking it forward. Aim to have as broad a knowledge and experience of the company as possible:
- Get involved across areas
- Participate in cross-department projects
- Hold regular bi-lateral meetings with heads of departments
- Go on sales and customer visits
Taking this approach has the additional benefits of raising the profile of information security and connecting you to the company’s key stakeholders. This facilitates a much warmer reception and open minds the next time you introduce initiatives or changes to your information security policies.
Understand your people
In attempting to get people to learn about and practise good information security habits, you are trying to change behaviours of those you don’t necessarily have the power to mandate. Understanding how people think, view life and change their behaviour is a key CISO attribute.
Here you can leverage the informal network and develop relationships with the key stakeholders specifically centred around cybersecurity.
Going a step further, establish an ‘information security ambassador network’ – an informal group of ‘lay’ representatives that create a cyber footprint across the business providing two-way communication with all areas.
Lead your team
Remember that leadership isn’t just about you. It’s about drawing out the best from those around you. And ensuring ‘the best’ are around you in the first place.
You need to build, develop and lead a multi-disciplinary team. Think outside the box to include disciplines such as:
- Risk management
- Forensic analysis
So you’ve got those qualities nailed, how about answering those questions?
Well, let’s rewind to that hypothetical job interview. You know the general thrust of the questions, but the key is to be prepared for all eventualities.
Be sure of your ground
As already mentioned, make sure you know the business – its vision, mission, objectives, strategy and plans. Ensure your information security objectives and strategy directly link to and support the organisation’s overall objectives.
Then take it to the CEO. Explain what you are doing with the company’s money and how you are protecting it and its assets. Know the potential cost of a hypothetical breach if leadership fails to properly invest in security. Don’t forget to explain the total cost, made up of:
- The immediate cost of responding to an incident
- The anticipated ongoing cost to the business, including everything from business disruption, loss of customers and reputational damage to legal fees and remediation
The hypothetical bill may surprise the CEO.
As a discipline, security is moving fast, and the CEO needs to understand that the business impact of security and compliance changes can be dramatic. Engaging in a healthy dialogue with the CEO over security and compliance is essential. Avoid the “Nothing’s on fire today, off you go,” conversation.
Outside the boardroom, it’s vital to take the rest of the business with you. Develop a comms programme that regularly issues updates on information security, explains how it relates to the business and seeks feedback from all. Work closely with the internal communication function and bring your ambassador network into play. Perhaps develop competitions that reward engagement with your initiatives.
Make that risk management assessment
Consider setting up an internal risk management group to establish benchmarks for risk acceptance levels and procedures for identifying and managing risks. This helps to better demonstrate how the various cybersecurity initiatives and projects are managing and reducing levels of risk.
CEOs will ask CISOs what they are doing to inform employees about cybercrime risks and what they should be doing to comply with company policies and external regulations. So, benchmark the staff’s current information security awareness and behaviour, and identify where improvements need to be made.
From this intelligence you can develop a behavioural change programme that encompasses comms channels and your less formal influence networks to shift the information security behaviour of the company, and evidence how far the company has progressed.
It’s a two-way street –
“Have you any questions for me?”
What do you need from the CEO? Well, an acceptance of a shared responsibility for a start. CEOs need to recognise the importance of cyber security and be directly involved in setting the level of acceptable risk.
The CEO needs to lead by actively enquiring into emerging risks. As businesses become increasingly digital, the status of information security moves from a technical issue to an area of core business impact. CEOs need to foster the conversation in terms of understanding business risk and the impact of the changing security landscape.
The wider C-suite also has responsibilities to support the CISO, so get commitment from them on:
- Investment that changes existing business processes
- Infusing understanding that everyone is responsible for information security
- Ensuring business leaders get their areas on the cybersecurity agenda
By taking the wider business view, working across the organisation and establishing genuine two-way communication with the CEO, you may just hear the equivalent of those wonderful words:
“Congratulations, you have the job!”