The most transformational job in the corporate world right now isn’t glamorous, certainly isn’t easy, and at times is even a little thankless. It’s a job where little can go right and a lot can go catastrophically wrong. If that isn’t enough, it’s probably the hottest seat in corporate America today.
The job I am talking about is that of the chief information security officer (CISO). And, if I were rising through the ranks of an enterprise IT department, CISO is the job I would seek out to make my mark.
Everyone knows that enterprises are facing daunting cybersecurity challenges. The mammoth data breaches that have plagued Target, Home Depot, and most publicly, Sony, have made the security failings of large public companies a regular feature in every mainstream news outlet, creating speculation about how enterprises and governments alike are fighting cybercrime, or failing to do so. Cybersecurity has never been a more visible issue, and CISOs will ultimately be the ones to ensure corporate America meets this challenge.
Security and risk management must become part of every business decision, and nobody within the enterprise is better positioned to advocate for those issues than the CISO. That’s why the job’s so critical to businesses right now, and why it also has far-reaching implications for today’s corporate boardroom. The security executives who successfully take on that role are changing how boardrooms weigh risk and ultimately make decisions.
Once an obscure position for cybersecurity specialists, the CISO’s addition to the boardroom has come as a response to the constant rhythm of data breach headlines in recent years. But research we conducted with Opinion Matters shows that CISOs are still held at an arm’s length and do not have the decision-making or purchasing power they need to make a difference.
More importantly perhaps, they often lack the respect of their peers in the C-suite or are viewed as convenient scapegoats in the event of a data breach. Simply put, the C-suite remains unsure of this relative newcomer, and turf wars and corporate politics are only putting organizations and consumer data at greater risk.
As an executive at a cybersecurity company, I speak to CISOs on a daily basis. I continue to be amazed at the internal obstacles many of them face. But truly successful CISOs have figured out how to make it work. It’s a valuable lesson for any aspiring CISO, not to mention other members of the C-suite who know that now’s the time to rethink corporate strategy in terms of placing sound cybersecurity and risk management front and center. In my discussions with effective CISOs, there’s a commonality with how they approached their job:
There will be a lot of up-front education, especially for organizations hiring their first CISO, about today’s threat landscape. It’s critical that CISOs explain to their C-level peers exactly what their mission is in terms of enabling the business while mitigating risk.
Clearly defining areas of responsibility and reporting structure–especially when a CISO does not report to the CIO, since cybersecurity’s still narrowly viewed as an IT issue–is absolutely critical to successfully implementing the cybersecurity strategies enterprises need.
To gain credibility and change perceptions, CISOs need to stop discussing security in a vacuum and start explaining it in terms of the bottom line. Some executives might not know a firewall from a hole in the wall, and they don’t have to–a good CISO identifies risk, explains the best ways to prevent it, and lays out a comprehensive strategy for how it will be accomplished that’s based on a strong understanding and demonstrated knowledge of each department’s objectives and how they operate.
It’s no longer enough to be the voice of “no” in the boardroom–the compliance officer mind-set is dead.
Instead, CISOs need to advocate good security practice as a competitive advantage for the business. Security cannot be viewed as a hindrance, but rather an organizational priority that ensures future growth and success.
An educated, security-minded C-suite is the first step in establishing a security-centric culture throughout the organization. By establishing parameters for what success looks like, CISOs create a framework where they and their peers can be successful together.
The path above is certainly easier said than done, and there’s still the whole separate battle of actually fighting cybercriminals. But if enterprise security is to be improved, CISOs are the ones to do it.
It requires a strong-willed and confident individual who will stick to her guns. But it also requires a mature C-suite that recognizes and embraces these new corporate leaders.
The vast majority of people in my industry see enterprise security as woefully unprepared for today’s threat landscape, but only a very small group of highly skilled specialists have the ability to fix it–and along the way, the truly successful ones will transform how decisions are made throughout the enterprise. That all spells tremendous opportunity for a new generation of corporate leaders taking on the role of CISO.
—Usman Choudhary is senior vice president and chief product officer at ThreatTrack. Usman is responsible for defining and executing the company’s product development strategy, and driving new cybersecurity innovations throughout its global research and development organization. He leads teams responsible for the creation of new advanced threat defense technologies and VIPRE endpoint security solutions.