Are CISOs the New Sales Experts?

Has the CISO role evolved from a tech-laden one to a discipline of effective language, sales and marketing skills? Sarah Coble finds out.

The chief information security officer (CISO) has traditionally been a technical whizz who can achieve compliance, protect data and clean up when security disasters strike. 

Historically, the role has reported to the chief information officer (CIO), but with more CISOs than ever running a direct line to the board or CEO, has the role morphed into a business-focused sales position in which security is sold as a ‘product’ to the C-suite and the wider stakeholders?

The CISO role owes its existence to a $10m cyber-heist perpetrated in 1994 by Russian hacker Vladimir Levin against the banking giant Citigroup (then Citi Corp. Inc.). To prevent further catastrophes, a team led by former Citi Corp CEO John Reed set up the world’s first executive cybersecurity office and hired Steve Katz as the first CISO to run it.
 
Other organizations followed suit, and today the CISO role is common. A 2018 study by (ISC)2 revealed that 86% of organizations that consider themselves adequately staffed with cybersecurity talent have a CISO, as do 62% of Fortune 500 companies, according to research published by Bitglass in September 2019. 

The Multifaceted CISO 25 Years On
Citi Corp hired Katz to restore trust in the company; to explain what had happened and, through the creation of a robust information security system, to protect the organization from future threats.

The CISO of 2019 has more of a multifarious role, requiring an expansive skillset, and technical focus has given way to business concerns.

“The CISO role has become less of a technical evangelist and subject matter expert and more of an ambassadorial business partner, strategist and marketeer,” Domino’s Pizza Group PLC CISO Paul Watts tells Infosecurity.

James Carder, LogRhythm Lab CISO and vice-president, views the position as even more complex. “Today’s modern CISO is more of a business CISO that understands how security ties into the business. In order to be successful, they have to know security, technology, finance, sales and marketing,” he argues.

A Tough Sell
Research from Herjavec Group states that cybercrime will cost the world an estimated $6tn in 2021, and according to Optiv’s 2019 State of the CISO report, “with the rise of the data breach epidemic, and the imposition of comprehensive privacy regulations like the EU’s General Data Protection Regulation and the California Consumer Privacy Act, cybersecurity has become a top business risk.”

However, a rambunctious cyber-threat landscape, in which 4.1bn records were exposed in data breaches in the first half of 2019 alone (according to RiskBased Security) does not translate into a CISO being hired by every organization.

Furthermore, an organization with the risk maturity and security sensibilities to hire a CISO may not take the next logical step of ring-fencing funds for cybersecurity. 

If CISOs are adopting a sales approach to security, then it might be because organizations have lost sight of what information security actually equates to and why it’s valuable. In some organizations, security has taken on the character of an optional bolt-on product instead of an essential element of a contemporary functioning business. This detracts from its intrinsic value as a way to maintain trust between an organization and its customers. 

In other instances, the value of security has been inverted so completely that it is now seen as an irritating obstruction to progress. “The problem for security is being seen as a cost and/or a barrier to business agility,” says former CISO and now CSO at Context Information Security, David Fox.

Occasionally, organizations fail so completely to recognize even the basic risk-reducing advantages of security that they resort to faking it. 

“The view that good security can drive business growth and a healthier bottom line has gotten lost. Unfortunately, many organizations are still using the CISO role as a box-checking exercise to claim they take security seriously, when they, in fact, don’t,” PAS CISO Jason Haward-Grau tells Infosecurity.

Winning Hearts and Wallets
Along with a bad reputation in some corners, cybersecurity suffers from being intangible, complicated, technical and, to some extent, unquantifiable.
 
Carder observes: “Security is not a ‘product’ that is truly quantitative. It is often measured qualitatively, and boards and executives aren’t really a fan of feelings and thoughts without critical, quantitative data to back it up.” 

However, just as CEOs and boards can sometimes be befuddled by the technical side of security, CISOs can be stymied by the difficulty of trying to communicate security’s importance to the business in a way that is relatable.
 
CEOs that are left unsure of how much bang they will get for a buck invested in security will understandably steer funding towards revenue-generating sales and marketing, or the research and development of new products. 

Leaders who skimp on security, whether through operational naivety or reckless abandonment, do so at their peril. As Jason Haward-Grau acknowledges, “if you can’t grow sales, marketing and products securely, then that’s a problem.”

Back to School
Where resources are limited and demands on a budget notable, CISOs are forced to flex their sales muscles to secure funding. “The CISO is ultimately selling insurance and risk mitigation from cybersecurity threats,” Code42 CISO Jadee Hanson points out. 

However, to successfully compete for a slice of the budget pie long-term, CISOs must do more than sell; they must communicate and educate. 

IBM global security advisor Limor Kessem tells Infosecurity: “Strong presentation skills to strategically present projects to the executive team and board members can go a long way in helping CISOs highlight the criticality of security, educate their organization on relevant threats and prepare them for potential attacks. 

“By delivering information in a more compelling way, security teams stand to benefit from more adequate budgeting. More importantly, they can benefit from executive sponsorship and top-down support of the security strategy and governance.”

CTO and Pharos Security founder, Douglas Ferguson, envisages CISOs going even further, virtually running a business within a business.

“The successful modern CISO will provide the board with choices, levels of investment that can demonstrably control levels of impact, and the execution plan, down to resource costs, to achieve these results. They will back it up with straightforward and easy to measure KPIs, and provide real-time executive reporting of performance to goal, not only of levels of impact control, but of how well investment is being leveraged.”

Get Out Your Compass
The ability to play salesperson, educator or even CEO may now be a requirement of the role, but as an overall descriptor of what a CISO really does, ‘enabler’ or even ‘digital navigator’ might be a better fit. 

Jadee Hanson says: “If done correctly, security should be thought of as an enabler rather than a ‘product.’ Security teams should be viewed as trusted experts in the organization that are there to solve problems; to enable the business to move forward in a way that is secure and will not cause undue risks for the organization.”

Leaving aside the method, the message that CISOs must convey is the permanent lung-like importance of security to everything a business does. Security in 2019 isn’t just about reducing risk and maintaining customers’ trust; it’s about keeping a business operational in a constantly evolving digital landscape in which IoT devices are proliferating and the amount of infrastructure and number of services being handled by third parties continues to rise. 

Simply staying open for business may become increasingly difficult for some organizations, as cyber-attackers switch their sights away from the IT environment towards operational technology (OT).

According to a recent study from Siemens and the Ponemon Institute, “Where past attacks primarily targeted data theft, current and future attacks can hijack control systems and logic controllers that operate critical infrastructure with the intent to cause physical damage and outages.”

Bifurcation or Burnout
Whatever the CISO role entails and however it is defined, the job is proving to be too much for many, with burnout becoming a real problem. 

In a 2019 Nominet survey of 408 CISOs, every single one said their job was stressful, with 91% reporting moderate or high stress and nearly 17% turning to medication or alcohol to deal with the demands of their job. Adding to their worries is the belief held by many CISOs that they are one major security incident away from unemployment. 

Cybersecurity recruitment specialist, and founder and CEO of CyberSN, Deidre Diamond tells Infosecurity that CISOs “believe their jobs are never secure. “A phrase I hear all the time is, ‘keep your eyes open for me; I could be let go at any time,’ and yet they stay committed, hoping it won’t happen,” says Diamond. “That stress, plus the normal stress of the job, causes complete burnout.”

What’s Next for  CISO Survivors?
From reactive origins, the CISO now has the chance to be proactive, using a wide range of skills to steer an organization towards a secure and sustainable future. 

Bionic Cyber CEO Mark Orlando tells Infosecurity: “I believe we’ll continue to see CISOs participate in more strategic decision-making and operate outside of infrastructure or information management functions.” 

As for the future of the CISO role, its first ever holder Steve Katz foresees the position undergoing a long-overdue forking. 

In a 2015 interview, Katz predicted: “In the next five to 10 years, the CISO will become two roles – the technology expert and the information risk expert. The information risk role will be the ‘what’ and the ‘why.’ The technology role will be the ‘how.’

“I think to expect a person to be an expert in both areas will be too much to ask.”