As frustrating as it can be for IT leaders and CISOs to struggle with a lack of respect from a CEO and the rest of the C-suite, in many ways they need to look in the mirror to place blame for that situation. As we've discussed in the past here at Business Insights, a lot of the respect issue comes down to ineffective communication. CIOs and CISOs still tend to grow up in the technical realm and may have not developed the presentation skills and other soft skills that their non-technical colleagues leaned on to climb the corporate ladder.
True, continuing education can help CISOs further advance their communication delivery methods. But these security leaders also need to engage in a little introspection to think about the ultimate business goal behind each of their interactions with the CEO. Because even though the manner in which a CISO communicates is important, even more important are the messages that they choose to prioritize.
Effective communication is all about choices. After all, you have the attention of any given audience for only so long, whether it is the recipient of an email, someone you're talking to on the phone or an executive sitting on the other side of the board room table. And, unfortunately for CISOs, they tend to choose messages that don't really resonate with the CEO or other line-of-business leaders.
"If you want a metric that is going to influence a CEO, you'd better give them something that actually influences their decision-making," Gartner's Paul Proctor told Careers Info Security in an interview last summer. "Problem is, most security officers don't even know what decisions their CEO makes every day. So how on earth are they ever going to deliver anything relevant to them?"
So as security teams gear up to make a plea for more budget or executive support for new initiatives, they need to start with empathy. Try to understand the biggest business problems the CEO is dealing with and relate that back to security. Many CISOs will find that as they do this, the following three messages may start to bubble up as the ones that really resonate:
Don't focus on vulnerabilities—instead deliver a message of value. While security rarely contributes to top-line revenue growth, there are plenty of areas where IT security and risk management deliver real business value through resilience, customer trust and so on. Unfortunately, many CISOs fail to translate security investments into business value, leaving CEOs and board members to cling to the idea of security as a cost center that needs to be minimized. Part of the problem is that CISOs never go through the trouble to understand the business well enough to do that translation.
"If you take the average security officer and ask them to describe what the desired business outcomes of their organization are, they can't do it," Proctor explained. "Some of the challenges and skills that they need to develop, in addition to understanding their own business, is being able to connect the … threat of security failures to business failures."
For example, Proctor explains a case of a company in Europe where a car is made every 90 seconds, and where one hour of downtime can cost 40 lost cars in inventory. When security problems contribute to that downtime, if the security team can relate it back to lost cars, they're demonstrating the real business value of security to the CEO.
"The car company security team is) now enabling the business to be more efficient, to increase output and as a result of that increase profit. So it is possible to actually produce things that do in fact enable the business," Proctor explained.
RISK VS SECURITY INVESTMENT
One of the big ways CIOs and CISOs undermine their credibility is by chasing the latest new and shiny protection technology without doing their due diligence to show how that relates to the value of the asset being protected.
Spending on security should ultimately be predicated by how much the data or the systems are worth or how much revenue they bring in.
"It just depends on the organization's risk profile, and what they have to lose. You don't want to spend $1 million to protect $50,000 worth of data," Booz Allen Hamilton CIO Kevin Winter recently told FierceCIO. "That goes to making sure that you spend those dollars very efficiently, very effectively."
Ultimately, this message depends on the CISO working with the business to valuate the assets they want to protect and comparing that to recurring and proposed new security costs to ensure that they stack up.
THREATS TO BOTTOM LINE
At the same time, some experts say that CISOs shouldn't go through too many mental gymnastic maneuvers to turn every single security message into one about security's role in the core business.
"For the past 10 years, the same mantra has implored IT security professionals to learn to speak in terms of the core business. But this has not worked," wrote Richard Steinnon of IT Harvest in a recent guest piece for TechTarget.
Steinnon believes that CISOs could get better traction if they were better able to talk threats with the C-suite in a manner more visceral than simply giving statistics or graphs on malware prevalence or incident response time.
"Stop presenting risk scores and start talking about threats, indicators of attack and compromise, and threat actors," Steinnon recommends.
He points to the CISO at Lockheed Martin, Chandra McMahon, as someone who does this well, by correlating attacks and organizing them into what her team calls a "Chart of Campaigns." According to Steinnon, it is the best communication tool he's ever seen for translating threats to the business. What Lockheed's security team does is take common elements like IP addresses, domains from which spear phishing emails are sent, families of malware used, methods of packing payloads and executives targeted to create a comprehensive picture of campaigns that are actively being waged against the business.
"The Chart of Campaigns may have anywhere from four to 15 current and active campaigns. Across the top is each stage of the Kill Chain, and the body of the chart shows which protections that week caught and mitigated attackers," he explained, saying that it creates the kind of visceral reaction from the C-suite that will spur buy-in and cooperation. As he explains, they'll say "'These bad guys are trying to get our stuff. We must take all measures possible to stop them!'"
While there might not be a silver bullet for improving relations between IT security leaders and board room executives, it is clear that CISOs need to start somewhere. As things stand, fewer than half of CISOs today regularly work with their CEO. Rather than pointing a finger to out-of-touch executives, security leaders would do well to reexamine the message themes they're relaying to the C-suite. These three themes may not be the end-all, be-all, but experts believe they're a good start.