How to Value a Business with Cybersecurity Leaders
In recent years, organizations have increased their focus on enterprise security operations, and the COVID-19 pandemic has become the trigger to increase the focus even more. Many companies are beginning to realize the cybersecurity impact of cyber threats as a result of rapid digitalization, and the significant role of the Chief Information Security Officer (CISO) in business decisions.
The modern business model requires CISOs who can navigate effectively within the digital transformation, and organizations need to know how to increase the talent of the CISO to serve the business value.
Who is the CISO?
A CISO is responsible for establishing security strategy and taking on all the increasing security risks that an organization faces, using new methods to secure its data. The CISO must prepare the organization with the right tools, skills, resources, relationships, and capabilities against growing information security risks.
What makes an effective security leader?
Communication
Good communication skills, both verbal and written, enable security leaders to communicate with internal and external stakeholders at all levels. The most effective leaders today build trust through cross-organizational relationships. This trust drives the prioritization of security projects and in departments where security is not mission-critical. CISOs need a high level of patience, as changing everything in an organization takes a lot of patience and endurance.
Being a business leader
Modern CISOs must be able to tie all security activities back to the business needs, with the ability to listen, and make risk-based business-oriented decisions without disrupting business operations. The CISO must evangelize security importance internally and make teams understand that security is actually a business enabler, not a barrier. The CISO must listen to the business needs and look for ways to support them.
Excellent security knowledge
It is no longer enough for a CISO to specialize in one area. They must have a strong understanding of all aspects of security, as well as how those aspects affect the broader structure of an organization. A well-rounded CISO needs a skillset that is half technical (e.g., security operations, risk, audit) and half business acumen (e.g., business economics and finance).
They must be able to ask the right questions, to be able to explain technical details in an understandable manner to other executives.
Continual development and collaboration with other CISOs
A modern CISO must develop his/her skills on an ongoing basis, balancing between technical skills and business acumen and being curious for knowledge in disciplines outside of cybersecurity (e.g., business economics).
CISOs must recognize the shared values of collaboration across organizational functions, and between and among organizations, when talking about cyber defense. It is important for CISOs, in order to better execute their role and expand their networks. CISOs need to learn from other CISOs about industry cyber trends and incidents, as well as compare cyber programs’ maturity and priorities.
How to increase the talent of the CISO to serve the business value?
CISOs increasingly expected to understand the mission of the business and align security investments and priorities with those goals, so it is necessary to have mentoring programs for CISOs.
The mentoring program should help them effectively communicate risks to board and senior management levels with confidence and knowledge through good learning about the critical assets, the company goals and vision.
Exposing the CISOs to financial statements and appreciating the importance of cash flow may not be the basic knowledge needed for them, but in practice and with mentoring, they should be. The same can be said for understanding supply chains, knowing who the key customers and vendors are, and determining what costs can really impact the organization’s ability to generate income and meet its business goal.
These issues are not necessarily under the responsibility of the CISO, but the ability to demonstrate business acumen gives the security professional great influence with these other players. Therefore, if a CISO can demonstrate having more than a one-track mind, he may suddenly find more allies within the organization.
How Cyber Security personnel saves companies money?
Most board and senior management members lean more towards management than technology, and they might not understand that spending more money on cybersecurity now, may prevent huge cyber-attacks losses in the future.
On average, data breaches are now costing companies $3.86 million per attack, according to a new report from IBM Security and the Ponemon Institute. Researchers with the Ponemon Institute interviewed more than 3,000 people, working for 524 organizations that experienced data breaches between August 2019 and April 2020, from a variety of industries and countries.
Personally-identifiable information was exposed in 80% of these incidents, and more than 75% of respondents predicted that remote work became a major security consideration of study participants due to the spread of the COVID-19 pandemic.
And these are just the metrics of Data breaches, remember that this is not the only issue that threatens the resilience of various organizations.
It is less expensive to prevent cyber-attacks than it is to repair the damage when they happen. Full-time cybersecurity personnel can protect against cyber risks, limit the severity of attacks, and ensure continuity of operation. Their expertise can save money and even keep the business from going under after a crisis.
In a perfect world, every company would have a CISO. However, a small/medium-sized business may not be able to justify a dedicated CISO. In those cases, it could make sense for an organization to take on the responsibilities of security and use resources such as CISO as a service or external consultants to provide targeted guidance and expertise with flexible costs.
Conclusion
A CISO is a security leader, an advocate, and a champion that drives cultural change and promotes security throughout the organization.
Every CISO comes into the role with different abilities and strengths, the important thing is to identify how these strengths can be built on to the business value. Security cannot be left as the sole responsibility with the CISO anymore, the role is changing with the rapid evolution of technology and business, and security has become intrinsic to every aspect of the company security and operations.
Coaching and mentoring for CISOs should be a serious consideration to be able to give them a good cultural fit for the organization, exposure to more functions than their own and gain a broader perspective of security.
Having a security team that is responsible for the management and control of information security is crucial, and obtaining a strong CISO is one of the most important tasks in an overall strategy to effectively protect a business and his critical data.