Over the past decade, the role of the CISO has evolved to keep pace with today’s dynamic threat and regulatory environment. Cybersecurity has expanded well beyond the confines of IT and is now a concern at the highest enterprise level. This has impacted how CISOs are viewed within the organization,  as well as their typical reporting structure. It has also redefined the skills and backgrounds that determine who will be hired in those roles, and, perhaps more importantly, who will succeed.

I spend a lot of time analyzing how the role of the CISO is evolving. I have worked in close partnership with Paul Calatayud, CSO at Palo Alto Networks and my colleague Jamey Cummings, a fellow co-leader of the Cybersecurity Center of Expertise at Korn Ferry. Here are some of our findings that were adapted from this article. 

Change Agents

The new dynamic in cybersecurity has made the CISO far more visible and accountable in organizations. When Korn Ferry researchers analyzed data from a work analysis exercise given to executives, the results showed that 80% of CISOs said their jobs had a very high-profile orientation for both visibility and accountability. This was nearly double the percentage of other same-level managers surveyed.

Beyond that, there were two other critical areas where CISOs expressed a higher requirement than their counterparts across the organization. Those were:

• Long-term strategic vision
• Implementing new initiatives

These findings suggest that organizations need cybersecurity leaders with skills that go well beyond technical expertise. Technical knowledge is still essential, but today’s CISOs need to be able to think outside the box, dig deeply into issues, exercise seasoned business judgment, exert influence at the board and C-level suites, and be a credible business partner.

According to our research at Korn Ferry, CISOs also need a different “motivational makeup” because “the most effective leaders are those who seek high visibility and accountability and strive to be agents of change.”

Reporting Structures

The higher levels of visibility and accountability have also affected where CISOs fit in within the overall organization as well as their reporting structures. Korn Ferry’s research shows a shift in reporting relationships. While many continue to report to a CIO, many more CISOs are now reporting to the head of risk management, a general counsel, the company’s president or the COO.

As noted in our most recent report: “Because the CISO has moved from the back-of-the-house operations to a key public-facing figure relied upon heavily by others in the C-suite, gone are the days when someone who is a brilliant technology expert but lacks business and relationship acumen can make it at the top ranks of the cybersecurity role.”

In today’s world, an ideal CISO has to keep up with the breakneck speed of technological change, while also having a strong aptitude for leading courageously, moving nimbly and understanding the right level of risk to make an organization safe—while still innovating.

Where will organizations find these rare individuals? See part two of our series: Archetypes of the Modern CISO.

View the full report that outlines what’s ahead for CISO leaders.

Aileen Alexander

Source: https://www.securityroundtable.org/changingroleciso/

As cybersecurity risk management has emerged as a top strategic priority for companies across industries, the question of whom the CISO should report to has likewise risen in importance. Historically, the CISO reported to the CIO, but companies are increasingly considering a number of alternatives—from placing the CISO in the risk or enterprise data groups to having them report directly to the CEO or the board. Although there is no one-size-fits-all answer, we can provide guidance for companies about the pros and cons of the various options.

Option #1: Reporting to the CIO

Most CISOs have reported to the chief information officer (CIO) since the cybersecurity position was first created—and most CISOs call the CIO boss today, according to Kal Bittianda, head of executive recruiter Egon Zehnder’s North America technology practice group.

Pros: The CIO is the member of the C-suite who best understands cybersecurity issues and, in many cases, is reporting to the board on the topic. Much of a CISO’s spending is directly related to IT. And there would be a cost of disruption to change this approach in many organizations, says Bittianda.

Cons: Although the CISO role was created to secure IT systems and data, “a big part of the role is outside of IT,” says Sandra Konings, partner with BDO Advisory in the area of cybersecurity. CISOs have to consider employee awareness and education, develop security policy and procedures, and cultural change. “When the CISO is reporting to the CIO, it may be easy to influence IT,” says Konings. “But it’s not so easy to influence anyone else.” CISOs reporting to CIOs may also be pressured to focus on technological solutions at the expense of more holistic solutions.  The most significant cybersecurity vulnerabilities are the humans in an organization, not its technology stack. Falling under the CIO reinforces the notion that cybersecurity is simply an IT issue, rather than an enterprise one, says Denver Edwards, principal at the law firm of Bressler, Amery & Ross specializing in cybersecurity issues. There can also be a conflict of interest when the CIO must weight security against other priorities such as networking, application development, infrastructure support, and outsourcing, says David F. Katz is a partner and leader of the Privacy and Information Security Practice Group for Nelson Mullins Riley & Scarborough.

Option #2: Reporting to the CRO

Over the last five years, some organizations such as financial services firms and large multi-national companies, have opted to place the CISO under the chief risk officer (CRO).

Pros: “The role of risk function is to give board greater insight into the enterprise risk of the company, not just financial risk so it makes sense,” says Konings of BDO Advisory. “It’s an oversight function and that can help to ensure that everyone does what’s needed to put the right solutions in place.”

Cons: In many companies, the CRO doesn’t report to CEOs so this reporting structure can further distance CISOs from top executives and company strategy. “At one large company, we transferred the CISO to risk and for a year it worked really well,” says Konings. “But the downside is you’re too far away from everything else.”

Option #3: Reporting to the CFO

Companies nestle any number of functions under finance—IT, risk management, procurement, tax, audit—and some situate the CISO there as well.

Pros: The CFO can in-the-know on approaching risk, reports to the board, and may make critical decisions about cybersecurity spending. Although some other C-level leaders have bemoaned the cost-centric focus of a CFO overlord, Egon Zehnder’s Bittianda points out that increasing number of CFOs are evolving in their management approach in the hopes of taking over CEO roles in the future.

Cons: The downside, of course, is that many CFOs want to see returns particularly if they are incentivized on year-over-year earnings growth, says Bittianda. “That can be a tough discussion for CISOs to have because it can be difficult to show the benefits of cybersecurity investments,” says Konings of BDO Advisory. They may lack sufficient technical understanding as well.

Option #4: Reporting to the CDO 

The chief data officer is a relatively new corporate role often focused on preserving and expanding the value of corporate data, so there is certainly some overlap with the CISO’s role in protecting that data.

Pros: “A CDO that sees the company’s data as an asset, and who is aware of the company’s defensive skills, could be the right person to be responsible for information security,” says Edwards of law firm of Bressler, Amery & Ross.

Cons: CDOs who see their role as an offensive position, leveraging data to increase revenues may clash with CISOs who see their role as defending the valuable information assets of a company. “This sets an inherent conflict and the end result is to place the CISO in a position of being perceived as potentially hostile to the business objectives,” says Katz of Nelson Mullins Riley & Scarborough. What’s more that new CDO may not be able to give enough attention to cyber issues, thereby limiting the effectiveness of this structure. “Data breaches have become so prevalent that it requires full-time attention,” says Edwards. “Meanwhile, it would be a wasted opportunity if a company has data that could help gain market share, but was slow to execute because the CDO has other challenges to confront.” Additionally, if the CDO does not report to the CEO, this again puts a greater gulf between the CISO and the organization’s leadership.

Option #5: Reporting to GC/CLO

While not a widely employed approach, some companies have opted to move the CISO out from under IT and into the office of the general counsel (GC) or chief legal officer (CLO). This often happens in cases where CEOs recognize the critical nature of cybersecurity and deems that GC as someone to trust with it, according to Bittianda of Egon Zehnder.

Pros: GCs handle significant issues related to information governance and compliance and have a good idea about corporate direction since they often serve as board secretaries. They also tend to get involved when there is a cybersecurity incident. Unlike the CEO or even the CFO, the GC is not burdened with many other direct reports.

Cons: Because GCs don’t typically have many non-legal direct reports, they may not be the best managers. They are also more engaged in episodic security activities, like breaches, than operational issues.

Option #6: Reporting to the CEO

Three years ago, IDC predicted that 75% of CISOs would report to the CEO, but it’s still the exception rather than the rule. This typically occurs in tech-centric companies or those that have suffered high-profile cyber setbacks and demands a CISO that is a true business leader.

Pros: Reporting to the CEO maintains the independence of the CISO role and can enables “frank and candid discussion with respect to risk, resources, prioritizations and conflicts that may arise among the larger group of stakeholders within the entity,” says Katz of Nelson Mullins Riley & Scarborough. A dotted line reporting relationship to the board or some other oversight committee with regular reporting requirements can strengthen this kind of arrangement.

Cons: Cybersecurity, while a high priority, is not central to CEO responsibilities in many organizations. “The greater number of principles who directly report to the CEO reduces the executive’s ability to focus on strategy and organizational leadership,” says Steve Berlin, litigation associate at Rumberger Kirk & Caldwell who helps clients develop cybersecurity policies and defend them in related litigation. A CISO reports to the CEO but is not part of the management team is still a step removed from strategic decision-making. “In many cases, it’s better to report to he CIO, who is part of the management team, and can feed necessary information to the CISO,” says Konings of BDO Advisory.

Option #7: Reporting to the Board

An alternative few companies have considered but is worth exploring is having the CISO report directly to the board or directors or one of its committees.

Pros: “Ultimately, the board is responsible for supervising management. The board needs unvarnished information about a company’s cyber performance,” says Edwards of Bressler, Amery & Ross. “Direct reporting to the Board enables directors to ask probing questions of management without the information being sanitized.  It also enables the board to get discrete cyber information outside of board meetings when they may be deluged with an array of issues.”

Cons: For this to work, the company’s board must have members with specific knowledge of cybersecurity issues and a willingness to oversee the CISO role and function.

Stephanie Overby

Source: https://www.securityroundtable.org/whats-the-best-reporting-structure-for-the-ciso/

When Equifax launched its search for a new chief information security officer (CISO) following its colossal data breach last year, the ability to operate as a capable C-level collaborator was at least as important as the candidate’s capacity for executing an effective information-security strategy.

The company’s new CISO, Jamil Farshchi—a business-aligned security leader who’s held the role at Home Depot, Time Warner, Visa, and Los Alamos National Laboratory—has been outspoken in describing the job as balancing the often-opposing demands of risk mitigation with business innovation. In order to do that well, CISOs must be able to manage not only their own information-security organizations, but also their relationships with their CEOs, boards of directors, and C-level peers.

Being able to communicate and collaborate both up and across the chain of command is a skill set that too few CISOs possess today, said Kal Bittianda, head of executive recruiter Egon Zehnder’s North America technology practice group, who worked on the Equifax CISO search. “CISOs in the past were ‘racks and stacks’ kinds of people. They managed the servers and manned the security dashboards behind a desk,” Bittianda explained. “They emailed updates, but they never spoke to anyone outside of their organizations. No one knew who they were—and no one cared.”

‘Out from the shadows’

Not so today, when every major corporation’s board and C-level leaders are on the hook for cybersecurity risk mitigation. They are holding half-day sessions to get a better grasp of what’s going on, and they don’t want to hear about it from the CEO or the CIO. They want to talk to the person in charge.

“Overnight, the CISO must come out from the shadows to stand in front of the board, and it’s a fairly daunting task,” said Bittianda. “Only some CISOs are capable of doing that well—and those people are in high demand.” Information-security leaders might be doing stellar work, but because they have not been trained in how to present a compelling case to board members, they risk being seen as incompetent.

The CISO’s peers have run this gauntlet in the past, thrust from executive obscurity into the spotlight. During the era of the Sarbanes-Oxley Act, board members wanted to hear from their company’s financial leaders to better understand the impact of financial statements and how to build robust internal controls. As technology became more central to corporate competitiveness, the board called on CIOs to help connect the dots between IT and business strategy. In many cases, it was trial by fire, an those who failed to rise to the challenge were often ushered out the door. In the past five or so years, the chief marketing officer (CMO) has come to the fore, with the advent of digital marketing and transformation.

Like the CFOs, CIOs, and CMOs who came before them, CISOs will now have to learn how to work with a variety of alien—that is, non-infosec—constituencies in a short period of time, each of which has their own specific interests in cybersecurity.

Business catalysts

“The pervasive use of technology means that legal, HR, marketing, ethics, compliance, and the board must understand these [cybersecurity] technologies, along with their risks and implications,” said Avani Desai, executive vice president and principal privacy leader and EVP at independent IT audit and certification firm Schellman & Company. “CISOs and CSOs need to learn how to move from being team leaders or group leaders to collaborators. We should see a paradigm shift, where CISOs and CSOs [evolve from] being assessors, technical champions, and compliance keepers to being business catalysts.”

This means not only presenting before the board, but providing more frequent updates to the executive team, fostering more open dialogue among business leaders, and spearheading the effort to mold the corporate culture to realize the value of information security.

That will require significant effort on the part of CISOs themselves. “They need to be able to talk to their business peers,” said Bittianda, “and if it’s something they’ve never done before, people might not make it easy for them.”

A good place to start is with the CEO and CIO. “I’m sure the CEO is already asking for updates on cyber,” Bittianda noted. “CISOs can look at what they need to do differently to be more effective in those conversations, seeking and accepting feedback on what works and what doesn’t.” CIOs—particularly the 70 percent who have CISOs reporting to them—have a vested interest in helping their information-security reports sharpen their skills by managing vertically and horizontally within the organization. “There’ a lot of incentive for them to help,” Bittianda said. “And they have lived through this journey themselves.”

Value of information security

CISOs should capitalize on every chance they have to speak to non-tech audiences to increase their capacity for explaining the value of information security in plain English. There also might be opportunities to get training internally or externally.

Just as important to CISO success as learning how to speak to business leaders is taking the time to understand their needs. The information-security organization has long been viewed as the department of “no,” with the CISO being a barrier to business success. “If someone in the business saw them coming, they’d avoid them,” joked Bittianda. It’s critical to change that perception, because the earlier information security is built in to business strategy, the more likely that the CISO will be able to put effective practices in place.  CISOs should be seen as more than “overseeing just technology or security,” said Desai. “They are business leaders who are helping to ensure and safeguard confidentiality, integrity, and availability of a company’s processes.”

For CISOs who want to build reputations as problem solvers rather than road blockers, “listening is huge—trying to understand the problems versus being perceived as the person who is adding more problems to their plate,” Bittianda said. “It’s important to build those relationships so they believe you’ve got their back and are willing to help them get things done.”

While the impetus is on the CISO to sharpen his or her business-communication and collaboration skills, corporate leaders concerns that their security leaders aren’t up to the task should take an interest in helping them improve. After all, concluded Bittianda, those business-seasoned CISOs are still hard to come by, and companies may be better off growing their own than taking their chances on the open market.

Stephanie Overby

Source: https://www.securityroundtable.org/time-cisos-become-true-c-suite-business-leaders/

It would be funny, if it were not so frustrating, that two individuals so intent on managing risk don’t understand one another. But that is the fundamental problem between business and security leaders. The gap is so huge that bridging it may seem nearly impossible. Yet, it can be done.

Here’s some much-needed illumination on why previous attempts to close the gap have resulted in bridges to nowhere—and how to fix that.

Understanding the C-level Perspective

“The fact that cybersecurity is a board issue is yesterday’s news,” said Nik Whitfield, CEO of Panaseer, a cybersecurity data analytics company. “While there is lots of data available, the puzzle that CISOs are trying to solve is how to bring this information together to show the board the picture they need to see.”

It’s like both sides are speaking a different language. The first step in effectively communicating with the CEO and board is to understand their risk language.

“As a CEO, my key concerns are growing the business and increasing shareholder value. As it relates to cybersecurity, I want a holistic picture, not a discussion of the latest technologies,” said Scott Kannry, CEO of cyber risk management company Axio.

Kannry noted his most valuable framework for understanding CISOs is to ask them to answer these four questions:

1. Do we know our risk and fully understand the dollars and cents involved? Have we taken a sampling of scenarios, put various operational and functional staff around a table and used their collective knowledge to estimate what each of a variety of events could cost?
2. Do we use a maturity-based cyber evaluation framework and align it with the scenarios quantified in the previous step?
3. Do we maintain the resources and financial ability to recover from a meaningful event? Do we have the right balance of financial reserves and insurance to pay for as much (or all) of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets and others? How do we understand how much insurance to buy? See Step 1.
4. Do we benchmark our organization against others, possibly a peer group?

In short, CEOs and board members are looking for the bigger picture in risk calculations.

According to The Cyber Balance Sheet survey of more than 80 board members, CISOs and subject matter experts, “Board members were five times as likely to cite ‘risk posture’ as a key security metric compared to CISOs. They are also 13 times as likely to say the same about ‘peer benchmarking’ – showing boardrooms’ greater concern for the big picture.”

That same report found that board members are inundated with security data and often just assume CISOs have things under control. Hence, they tend to “tune out” and simply expect the CISO to keep everything secured. So when something does go wrong, all fingers point to the CISO—an untenable situation, to say the least.

Speaking in Business Tongues

“When discussing cybersecurity risks with the CEO, or the C-suite in general, it’s critical to bridge the gap from purely technical to business terms,” said Brad Arkin, CSO at Adobe. “Remember that top executives have to prioritize many aspects of the business, including investor expectations, revenue and profit, brand equity, employees, etc., so it’s your job as the CISO/security expert to illuminate the business case for security in a broader business risk management context.”

Specifically, this means dumping technical metrics and scare tactics from the conversation. Instead, focus on calculating risks in terms of business impact.

“As far as how risk is determined, the key is not to think primarily in terms of technical metrics, such as unpatched OS vulnerabilities or average password strength, but in terms of business impact,” advised Nir Gaist, founder and CTO of Nyotron, a security products and services provider. “What is the probability that bad thing X could happen to us? What is the business consequence of X? What is a possible way to calculate the financial impact of that business consequence?”

Tips and Pitfalls

Here is a quick list of dos and don’ts from your peers to help you build a conversation framework that will truly connect your message with the powers-that-be:

• Speak to risk/reward appetites, not in absolutes. Businesses cannot survive, let alone prosper, if all risk is eradicated. “CISOs can fall into the trap of an engineering mindset that seeks technical perfection. This can undermine credibility and set up unfulfillable expectations. And it misses the central reality of business, which is that risk is essential to reward,” said Gaist.
• Understand how your company makes money, and speak to that. “Effectively translating technical risk into business risk terms means you have to understand how your company makes money. A web-based company selling to consumers is going to be far more sensitive to web-server vulnerabilities than will a B2B logistics firm,” said Kip Boyle, founder and CEO of Cyber Risk Opportunities, a risk management consultancy and service.
• Expect disbelief of your numbers, present them strategically. “Remember that no one believes the numbers on your deck right out of the box, and you’ll wind up in a debate over how good those numbers are. Instead, use numbers sparingly. If someone wants more numbers from you, let them ask for them,” said Gaist.
• Set up a business report rather than a security report. “CEOs and other C-levels all follow clear forecasting, tracking and reporting. The closer the CISO can align to this methodology, the more impactful they will be,” said Tom Pageler, chief risk officer and chief security officer at Neustar and  formerly chief risk officer at Docusign and deputy CISO/executive of global security and investigations director at JPMorgan Chase.
• Make the impact more personal. Whatever you are describing or pitching, bring the point closer to the audience’s personal domain. “For example, if the discussion is with the VP of Sales, describe sales forecast impact. If the discussion is with the CFO, discuss the exposure to lawsuits and other activities that will stem from a breach and cause additional monetary damages,” said Jason Sinchak, CTO of mobile security company Sentegrity and CISO of Emerging Defense, a cyber-security penetration testing and breach investigation consulting firm.

Now you’re all set. Go forth with confidence, speaking in business terms and with the understanding that there is no “us versus them”—there is only “we.”

Pam Baker

Source: https://securityboulevard.com/2017/12/cisos-can-successfully-talk-security-ceos/