David Stapleton is CISO at CyberGRX, where we are modernizing third-party cyber risk management with a data-centered approach.
The most frequently repeated guidance I heard during my early days in the cybersecurity field was, “If you can understand the technical elements of this job, but also communicate effectively to the business side of the house, that will be your golden ticket.”
When I first got my start in the security industry, I sought out leaders in the agencies I worked for who could help me avoid pitfalls, learn from their past successes and failures and generally counsel me in my new career. Almost to a person, they encouraged me to be passionate about the technical aspects of my role but to also ensure that I fully understood (and could communicate) the business of our organization. I haven’t always followed that guidance, to my own detriment, but my introduction to the CISO role in late 2019 has emphasized the wisdom of my early mentors all these years later.
The CISO role has evolved significantly since its inception in the mid-1990s. Early CISOs were primarily a technical bunch, focusing on risks associated with current trends like the explosion of enterprise email usage and the internet in general. Executives often didn’t know what to make of this new role and in some cases were outright resistant or skeptical about the need for a highly placed individual whose primary focus was information security. Many CISOs reported to a CIO, and it was the CIO who was expected to set priorities, approve budgets, communicate with other executives and even accept security-related risks.
Over the decades, the importance of data security — and by association, the role of the CISO — has evolved considerably. The rapidly growing ubiquity and utility of the internet and, subsequently, cloud services have been some of the biggest drivers of change.
In addition, digital transformation is pushing cybersecurity to the fore at a pace that is difficult to match. Data is commonly the product that we sell to our customers today, and information itself, whether personal or business-related, is more valuable than it has ever been. To make matters even more challenging, this has all given rise to the reality of cyberattacks and breaches as an existential threat to company success. As a result of these changes, effective cybersecurity has become a necessity for organizations of all sizes, industries and geographies.
It can be easy to fall into the trap of thinking that the security mission of an organization stands somewhat separated from the business mission. I believe that those days, if they ever truly existed, have long since passed. As the cybersecurity leaders for our companies, today’s CISOs are expected to do much more than simply secure data. We are market-facing advocates for our businesses and are expected to represent our company brand with professionalism and expertise.
CISOs are an integral part of attracting lucrative prospects and retaining customers. We are often called upon to provide valuable, risk-based input for strategic planning and decision making. In some industries, CISOs are asked to contribute to the ideation and testing of products and services. In almost every case, we are responsible for providing executive-level reporting on issues that are paramount to achieving the company mission.
I hope you will agree that the ability to effectively understand and communicate our business is essential to the success of modern CISOs and the organizations we support. The following are three recommendations for how to achieve and maintain this capability:
1. Make time to engage and learn. As a CISO, you are likely inundated with a laundry list of critical tasks that can easily distract you from all other activities until the end of time. This can have the effect of isolating you from colleagues and organizational leaders, which in turn reduces your exposure to strategic and operational information in the form of one-on-one conversations, strategy sessions, working groups and, yes, plain old boring meetings. Give yourself space to participate in the conversation so that you can best understand the mission, opportunities and challenges associated with your business.
2. Learn the language of business. Return on investment (ROI), total cost of ownership (TCO), annual recurring revenue (ARR), conversion rate, key performance indicators (KPI). These are examples of the vocabulary used to conduct business, and understanding how and when to use them is key to CISO success. One excellent way to become familiar with these terms is to immerse yourself in them through reading. Business publications like Forbes, the Wall Street Journal, Inc. or the Harvard Business Review are great resources for engaging and informative articles that offer excellent exposure to business vernacular.
3. Translate security details into a discussion of business risk. Executive teams and boards of directors may not know what to make of your deep dive into the technical implementation of FIDO2-powered authentication. What they really want to know is that you have made efficient use of your security budget to address risk in the most effective way possible. Use your precious time with them to talk about topics like top risks in your enterprise, security program maturity, integration and partnership opportunities, emerging threats and compliance challenges.
Today’s CISOs wear many hats. From moment to moment, we may be expected to advise on a technical security specification, respond to an ongoing security incident or provide guidance on how to address the most recent emerging cyber threats. In addition to these traditional roles, CISOs are now also expected to be business leaders and strategic contributors. Gone are the days when security programs were merely thought of as an isolated cost center. The new CISO, properly engaged and equipped with business awareness and acumen, is now also a business enabler.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?