When Equifax launched its search for a new chief information security officer (CISO) following its colossal data breach last year, the ability to operate as a capable C-level collaborator was at least as important as the candidate’s capacity for executing an effective information-security strategy.
The company’s new CISO, Jamil Farshchi—a business-aligned security leader who’s held the role at Home Depot, Time Warner, Visa, and Los Alamos National Laboratory—has been outspoken in describing the job as balancing the often-opposing demands of risk mitigation with business innovation. In order to do that well, CISOs must be able to manage not only their own information-security organizations, but also their relationships with their CEOs, boards of directors, and C-level peers.
Being able to communicate and collaborate both up and across the chain of command is a skill set that too few CISOs possess today, said Kal Bittianda, head of executive recruiter Egon Zehnder’s North America technology practice group, who worked on the Equifax CISO search. “CISOs in the past were ‘racks and stacks’ kinds of people. They managed the servers and manned the security dashboards behind a desk,” Bittianda explained. “They emailed updates, but they never spoke to anyone outside of their organizations. No one knew who they were—and no one cared.”
‘Out from the shadows’
Not so today, when every major corporation’s board and C-level leaders are on the hook for cybersecurity risk mitigation. They are holding half-day sessions to get a better grasp of what’s going on, and they don’t want to hear about it from the CEO or the CIO. They want to talk to the person in charge.
“Overnight, the CISO must come out from the shadows to stand in front of the board, and it’s a fairly daunting task,” said Bittianda. “Only some CISOs are capable of doing that well—and those people are in high demand.” Information-security leaders might be doing stellar work, but because they have not been trained in how to present a compelling case to board members, they risk being seen as incompetent.
The CISO’s peers have run this gauntlet in the past, thrust from executive obscurity into the spotlight. During the era of the Sarbanes-Oxley Act, board members wanted to hear from their company’s financial leaders to better understand the impact of financial statements and how to build robust internal controls. As technology became more central to corporate competitiveness, the board called on CIOs to help connect the dots between IT and business strategy. In many cases, it was trial by fire, an those who failed to rise to the challenge were often ushered out the door. In the past five or so years, the chief marketing officer (CMO) has come to the fore, with the advent of digital marketing and transformation.
Like the CFOs, CIOs, and CMOs who came before them, CISOs will now have to learn how to work with a variety of alien—that is, non-infosec—constituencies in a short period of time, each of which has their own specific interests in cybersecurity.
“The pervasive use of technology means that legal, HR, marketing, ethics, compliance, and the board must understand these [cybersecurity] technologies, along with their risks and implications,” said Avani Desai, executive vice president and principal privacy leader and EVP at independent IT audit and certification firm Schellman & Company. “CISOs and CSOs need to learn how to move from being team leaders or group leaders to collaborators. We should see a paradigm shift, where CISOs and CSOs [evolve from] being assessors, technical champions, and compliance keepers to being business catalysts.”
This means not only presenting before the board, but providing more frequent updates to the executive team, fostering more open dialogue among business leaders, and spearheading the effort to mold the corporate culture to realize the value of information security.
That will require significant effort on the part of CISOs themselves. “They need to be able to talk to their business peers,” said Bittianda, “and if it’s something they’ve never done before, people might not make it easy for them.”
A good place to start is with the CEO and CIO. “I’m sure the CEO is already asking for updates on cyber,” Bittianda noted. “CISOs can look at what they need to do differently to be more effective in those conversations, seeking and accepting feedback on what works and what doesn’t.” CIOs—particularly the 70 percent who have CISOs reporting to them—have a vested interest in helping their information-security reports sharpen their skills by managing vertically and horizontally within the organization. “There’ a lot of incentive for them to help,” Bittianda said. “And they have lived through this journey themselves.”
Value of information security
CISOs should capitalize on every chance they have to speak to non-tech audiences to increase their capacity for explaining the value of information security in plain English. There also might be opportunities to get training internally or externally.
Just as important to CISO success as learning how to speak to business leaders is taking the time to understand their needs. The information-security organization has long been viewed as the department of “no,” with the CISO being a barrier to business success. “If someone in the business saw them coming, they’d avoid them,” joked Bittianda. It’s critical to change that perception, because the earlier information security is built in to business strategy, the more likely that the CISO will be able to put effective practices in place. CISOs should be seen as more than “overseeing just technology or security,” said Desai. “They are business leaders who are helping to ensure and safeguard confidentiality, integrity, and availability of a company’s processes.”
For CISOs who want to build reputations as problem solvers rather than road blockers, “listening is huge—trying to understand the problems versus being perceived as the person who is adding more problems to their plate,” Bittianda said. “It’s important to build those relationships so they believe you’ve got their back and are willing to help them get things done.”
While the impetus is on the CISO to sharpen his or her business-communication and collaboration skills, corporate leaders concerns that their security leaders aren’t up to the task should take an interest in helping them improve. After all, concluded Bittianda, those business-seasoned CISOs are still hard to come by, and companies may be better off growing their own than taking their chances on the open market.