In an era of ubiquitous, interconnected communications and digital-everything, the CISO’s role is changing in rather dramatic fashion. It’s less about managing a team of specialized IT people and more about becoming a business leader that works across likes of business and across divisions.
“The CISO is a person who speaks directly to the CIO, who works with different lines of business such as those spinning out SaaS and mobile apps, who talks to legal to address the risk of breaches and what they mean for compliance, and they deal with PR, to be ready to address them when they happen,” explained Chris Wysopal, co-founder CISO and CTO of Veracode, in a session on the changing role of the CISO at RSA 2015. “They are essentially changing from control over a particular domain and staff to a role that affects real business processes on a bigger level.”
This elevation—from technical specialist to senior management role—is not without its challenges. For instance, with the threat space as we know it changing in such dramatic ways to become more complex and sophisticated, the CISO is under fire to protect against them, even when the risk factors are outside of the CISO’s control.
“Every organization has to use technology to grow,” Wysopal said. “At the same time, that same technology is causing risks. So now the CISO’s role is core to how the business is functioning and how much it will grow.”
There’s an upside in all of this, of course, which balances out some of the pressure that a CISO may feel, and that’s the ability to gain the ear of the board of directors, and to ask for more funding.
In fact, the board increasingly expects information security to be more than just an audit function.
“We are definitely moving beyond compliance,” Wysopal explained. “As a baseline, we need a lot more mitigation of risk than what we have right now. They really want to know from a high level—what are the odds of a security event, and would a breach have a major impact on the organization. They really want to have that discussion on risk and risk posture, and that means that you can finally talk at the C-level about where the budget can change.”
Wysopal laid out some strategies for getting the most out of a meeting with the board. First and foremost, recognize that you only get a short amount of time, say five to fifteen minutes. So the talk has to be short and to the point, without a heavy presentation.
“Prepare an appendix for anything beyond a few key indicators, for those that want to go deep,” he counseled. “And communicate with real words, do not use acronyms. Use visuals not text. Basically assume you’re talking to your mom—these are smart business people, but they’re not technical folks and don’t assume that they know what you’re talking about.”
One important metric to use—and it may seem obvious—is dollars.
“They understand dollars,” Wysopal said. “You’ll ask for money and you need to tell them how much area of risk it will cover. And as far as the downside goes, communicate the dollars lost for different types of breaches and for different industries.”
Also, focus on key concepts to get across. For instance, there is no such thing as a breach-free organization. Also, impress that cybersecurity is a company-wide responsibility, encompassing IT, legal, risk, lines of business and PR. All of the different divisions using technology have to deal with risk. And, critically, cybersecurity needs to be thought of as a long-term strategy of the survival of the brand.
To get all of this lodged in the board’s consciousness, it’s critical to threat-model one’s own specific business. As Wysopal said, “Are you in oil and gas? Do you have high-risk intellectual property? Look at breaches in similar industries, the key trends in successful attacks, and talk about who is out to attack your specific company.”