C-Suite undervalues CISOs and cyberattack risks
Security chiefs must improve executive relationships and set clear expectations to reduce stress.
Key takeaways:
- Increased cyberattacks raise organizational tension
- Explaining risks and countermeasures helps business leaders to be more supportive when breaches occur
- Understanding business-team objectives and relying on data can smooth relations among the C-suite
During an especially stressful week in the early days of the pandemic, Gary Hayslip, chief information security officer at SoftBank Vision Fund, sought an at-home escape. He and his wife assembled a 4,700-piece, four-foot-long Star Wars Imperial destroyer out of Legos. “Very calming and meditative,” Hayslip says.
And very necessary for many CISOs.
The past 18 months have increased challenges for corporate security chiefs, many of whom continue to face major internal challenges along with ongoing external threats. CISOs have navigated a sudden shift to remote work, a dramatic increase in cyber attacks and an increased workload due to shortages of security staff. They’re also being assigned new tasks, such as compliance with privacy regulations. On top of all that, they face a fraught and uncertain relationship with their organizations. A recent EY survey of global information-security executives suggests those relations have never been more strained.
“Given today’s shape-shifting nature of doing business post-pandemic and an unrelenting threat landscape, CISOs arguably have the toughest job on the organizational chart,” says Manoj Bhatt, head of cybersecurity advisory at Telstra Purple, a technology consulting firm owned by Telstra, Australia’s largest telecommunications provider.
Making it tougher, many C-suite colleagues fail to understand security risks and don’t appreciate that cyber attacks are inevitable, says Matthew Rosenquist, CISO at Eclipz, a Silicon Valley provider of encryption technology, who also writes and speaks frequently about the challenges facing security executives.
This can put cybersecurity leaders in no-win situations. “If you do a poor job and the company experiences loss from attacks, the CEO says, ‘Why do we need you?’” Rosenquist explains: “If you do a great job and there’s no loss at all, the execs will still say ‘Well, everything’s fine so we don’t need you.’”
Veteran CISOs and other security experts say better communications with other C-suite leaders and board members can go a long way toward easing tensions at the top and reducing the pressure they’re under. Here are several strategies they suggest to foster empathy and understanding with those key groups.
1. Set realistic expectations and empower C-suite with details
Most CISOs understand the threats they face and what’s being done to forestall them. It’s their job to make sure other executives have the same knowledge. If leaders understand that breaches are a business reality and are confident in the countermeasures, they’re less likely to feel blindsided.
“Everyone sees news of breaches all the time, so you have to be out there talking to people about how this risk relates to your company and what systems we have in place, in order to give the broader context,” says Hayslip.
At SoftBank, Hayslip makes a point to meet with other department leaders to understand their business objectives, the critical resources they have that need protection and the friction that security measures may be creating for their teams. He sees his role not simply as a technical leader but as a “business executive who manages risk,” he says. “You can’t just sit in your security box and be the master of your domain.”
2. Know your audience to communicate effectively
As the top security executive, the CISO serves as an important liaison between business departments and InfoSec teams. Communicating effectively requires understanding their priorities and speaking their language, not the complex jargon of cybersecurity and IT.
Only about a third of CISOs, though, say they have strong communications skills, according to a recent survey by ClubCISO, a London-based organization of 500 global cybersecurity leaders. And while the survey notes that business knowledge is far more important to the job than technical knowledge, only a minority of CISOs say they have enough of those skills.
That’s why knowing your internal audience is so critical. “If it’s an HR audience, I might discuss the confidentiality of sensitive employee data,” says Rosenquist. “Finance teams are interested in the integrity of their records and processes. Product line executives want to know how security controls will impact profitability and product plans.”
3. Measure what will make you noticed
After the CEO, the most important C-suite colleague of the CISO is the chief financial officer, who controls budgeting. A positive CFO relationship can help make more resources available to ease workloads and for other security initiatives.
Hard data is an essential tool when working with finance chiefs (and with other business leaders). Some CISOs provide data showing the number of threats that were thwarted over the past 12 or 18 months, how they were defended, and what the attackers were aiming for, says Khalid Kark, CIO Program Research Leader at Deloitte.
One CISO in the financial services sector, Kark recalls, created custom cyber-risk dashboards for each of his C-suite colleagues and other business leaders, allowing them to regularly check a menu of security metrics.
“In cybersecurity, what gets measured gets noticed,” Kark says. “Having defined metrics helps tell the story.”
Hopeful signs ahead
The ClubCISO survey suggests a more positive outlook for CISOs heading into 2022: 86% of CISOs said their organizations now view security as being as important as they do, up from 65% before the pandemic. And nearly 70% of respondents agreed that their organizations have a positive security culture, up from 45% in 2020.
Meanwhile, individual CISOs are finding their own ways to combat stress. Rosenquist unwinds by riding his motorcycle in the foothills of the Sierra Nevada, nearby his home near Sacramento. “It’s something totally predictable that you have total control over,” Rosenquist says. “Totally different from cybersecurity.”
Hayslip and his wife recently booked a Hawaiian cruise, their first vacation requiring air travel in years. “In this field,” he says, “you have to have ways of detaching.”