Technical expertise and cybersecurity knowledge will not take the CISOs too far. To earn respect, ownership, and reliability, today’s CISOs need to have a comprehensive understanding of their businesses too.
It is as critical for CISO today to be business leaders as well, as it is for them to be security experts. While becoming a security professional is the fundamental expectation for being hired, becoming a business professional is something that the CISO must proactively learn if they wish to be recognized as a valued member of the core executive team.
CISOs are adequately well-versed in the actual business of their organization. The elaborate presentations, talks, and conversations at security-related conferences are centered on certifications, technology, and policies; it’s rare to see security leaders talk at any level of detail about the multiple factors that contribute to revenue-generation in their business.
While most people easily land in the job role of a CISO or senior security professional through their knowledge of security technology, risk management, and understanding the company’s security threats. But in most cases that still doesn’t earn them a respected seat at the executive table.
Like it or not, security is never the foundation to generate revenue in most firms, so it has to compete for visibility with executive leadership. CISOs are mostly perceived as technology geeks who don’t really think broadly enough to become a part of the business conversation.
CISOs have been struggling for the past two decades to prove that they deserve to be part of the executive leadership team. Still, most security professionals have clearly not done their homework/research to take advantage of the provided opportunity.
Most CISOs are fairly well-versed with the underlying security risks. The question is regarding their understanding of other associated business risks, including inflationary risk, market risk, competitive risk, operational risk, political risk, or regulatory risks beyond the basics like GDPR, HIPAA, CCPA, or PCI.
These are the real risks business leaders need to consider every day, and expectations are growing – CISOs don’t necessarily need to be the real experts. Still, they definitely need to at least be conversant in such matters.
CISOs need to understand the fundamentals of how their company is progressing towards revenue-generation in order to appropriately evaluate what security programs are required for their company. They must comprehend how the business churns in money and the processes that actually create value.
Understanding value and revenue
Most business models are relatively simple: Sell a service or product for more than it actually costs to make the product work or deliver the service. The better a CISO relates to all the secret ingredients, the better he/she can build a security program to protect them.
Risks are different across sectors of the economy. The security leader also needs to analyze the value to properly evaluate existing security risks so that the board and management can understand.
Security and business alignment
Whenever a security executive with a vision understands the business need, the security program will align with what is most critical to the business. Monitoring how the business is having or doing a security program that is agile enough to react to the existing market changes will allow us to bring in true and appropriate risk mitigations.
When one understands their business, the security program will make sense to the executive team as they will value and respect security more because alignment with the business will be considered obvious. That’s how CISOs can earn their much-deserved seat at the executive table.