A survey conducted in July 2014 by ThreatTrackSecurity reported that 74% of the 203 U.S.-based C-level executives...
queried do not believe CISOs "deserve a seat at the table and should not be part of an organization's leadership team." This reinforces the notion that CISOs are primarily viewed as convenient scapegoats in the event of a data breach.
Not all C-level positions are created equal. Depending on the CEO, the executive board makeup and manner of doing business, CxO positions exist to support the business, and to collaborate on and make decisions that best suit the enterprise to ensure viability, profitability and success.
The question of whether the CISO "deserves a seat at the table" in a C-level position is not the issue. The real issue is whether the CISO is providing the right level of support, education and information to the CEO and the line executives who make informed business decisions on risk and security. Much like the CIO, corporate council, chief privacy officer and chief auditor positions, the CISO role exists in part to submit expert advice and council to executive management.
It is not uncommon for some CxO positions to be part of the executive leadership team as non-voting members. For example, chief auditors should never be a voting member on the executive team, but clearly should have a "seat at the table." CIOs and CISOs should also have a seat as long as they don't kowtow and add value to the business-decision process.
How to be a better CISO
How can the CISO get more prominence and responsibility as viewed by C-level execs? While the survey reports 74% of CISOs aren't respected by other C-levels, the other 26% view the CISO as an active member of the leadership team. So what is this small percentage of CISOs doing to deserve this respect? Are they adding value?
The CISO can use certain tactics to earn a greater level of trust from the executive team and make the CISO role more valued and respected.
- Use the "three C's" to emphasize the importance of information security within an organization:
o Cooperation precludes pernicious silos;
o Communication is critical but it must be incisive, relevant and done with aplomb; and
o Counterbalance ensures contributions are commensurate with business objectives.
- Identify a C-level team member who can champion the CISO's contributions and participation. Befriend, educate, earn trust and provide him or her with insightful information that will also elevate his or her visibility and credibility.
- Schedule monthly executive management reports on the state of information security for your enterprise. Use graphics, red-yellow-green icons to highlight areas to focus, and communicate your message in business terms related to cost, ROI, risk, growth and compliance.
- Give business managers reason to praise your efforts and value. Meet with key business managers to better understand their pain points as it relates to information security, risk and compliance. Be a trusted business advisor.
- Stay informed of current events and new technologies, especially as they relate to your enterprise industry.
- Embed information security in the project management cycle, change the management lifecycle and the information governance process.
- Hire or build an exemplary staff with passion for information security.
- Be a luminary in your field so executive management is aware of your endeavors, not only from within, but from others outside your organization. Write articles. Give lectures on information security. Participate in professional organizations to gain insight of what works and what doesn't.
Of course there are other ideas that may be more specific to your enterprise business culture, management practices and business objectives. But, above all else, do not stay idle. Do not wait to be called upon by other C-level positions for contributions. Do not strive for perfection. Strive for excellence. Do these and you will not go unnoticed.
About the author:
Miguel (Mike) O. Villegas is vice president for K3DES LLC, a payment and technology-consulting firm. Mike has been a CISO for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.