The biggest challenge facing the modern CISO isn’t a technical one. It is, in fact, demonstrating consistent alignment with business objectives and how the CISO’s day-to-day efforts support them.
That’s according to veteran CISO turned Zscaler VP & CISO in Residence, Sam Curry. I had the chance to attend a panel discussion led by Curry at last month’s CXO Exchange in Nashville hosted by Zscaler. He was joined by two other established CISOs: James Beeson, former SVP & Global CISO at Cigna Health, and Paul Reyes, former CISO of Vistra Corp., an energy utility based in Irving, Texas.
Curry was referring to technology’s tendency to become the dominant focus for technically-minded CISOs. Instead, he suggests the rest of the business would be better served by focusing elsewhere, namely, how security initiatives advance overall business goals.
This is especially critical for CISOs when it comes to communications with boards and senior leadership, a major theme of the discussion. Board communications are a rising concern for both business leaders who increasingly understand the magnitude of cyber risk and the CISOs expected to describe how they are defending against them.
While cybersecurity has become a “disproportionately huge topic” for many boards according to some leaders, Reyes notes that his former company had a longstanding interest in the issue. As an energy provider in a critical infrastructure sector producing “everything from nuclear down to batteries,” Reyes' board was concerned about nation-state actors and interested in how he was countering them.
To illustrate, he started by building an understanding of what the board considered critical aspects of the business and its risk tolerance associated with each business unit. This provided Reyes with a better understanding of how to prioritize both his efforts and conversations with senior leaders when it came to more technical topics like attack surface reduction and endpoint protection.
“I use four categories: low, medium, high, and critical,” said Reyes. “Low, the board doesn't need to worry about. Medium, the ball is still in my court, but here's my plan. High, we are approaching the board's risk threshold. And critical, hopefully we never reach that."
For Beeson, simplification was the overarching goal when he joined The Cigna Group, both from a technology and a communications perspective. Simplifying the security program approach was a priority for his team, but when it came to explaining that to the board, Beeson understood he would need to translate the “geek speak” into the language of the business: finance.
"I tell young people looking to be CISOs all the time, if you don't know anything about finance, accounting, and economics, you should go learn that,” he said. “I don't care if you run an ice cream stand or a 200 billion company, you've got cashflow, you've got profit and loss, you've got balance sheets.”
Beeson says he uses a "rule of five" to simplify topics for non-technical audiences. Any more than that makes it hard to grasp key takeaways. So he contains his explanations to these main categories of risk:
- Business disruption – The North Star for technology should always be keeping the lights on and the business running.
- Unauthorized access – Whether it’s an inside actor or external party, anyone having access to systems and information they shouldn't is a bad thing.
- Data leakage/data loss – This is the one that will land your company on the front page of the Wall Street Journal. And not in a good way.
- Business resilience – In the event of an incident, do you have a plan for resuming normal operations? The longer this takes, the more damaging the incident can be.
- Regulatory non-compliance – Chances are, your business is regulated in some sense. Falling out of compliance, especially in heavily regulated industries, is of significant concern to boards.
Ultimately, Beeson likens the CISOs role in these conversations to that of a lawyer briefing a client. "At the end of the day, I'm just a partner giving you the information you need to make as informed a decision as possible," he says.
Other takeaways from their conversation:
- Risk is the ultimate metric – Missed patch metrics may seem like a concerning statistic to board members but they do not capture the fact that, "From a risk perspective, every one of my endpoints, including in the office, are off my network. None of them touch my critical infrastructure," explains Reyes. "That's below your risk tolerance."
- Optimize your “say/do ratio” – Credibility and reliability are two of the most valuable assets for any CISO's. These are built over time and by repeatedly doing what you say you will do. A CISO's relationship with the board is ultimately an interpersonal one, so CISO’s must show that they empathize with and support metrics important to other teams.
- Leverage real stories to convey key concepts – Storytelling is an effective tool for CISOs to educate the board and other stakeholders about cybersecurity risks. By using real-life examples, CISOs can demonstrate the importance of aligning cybersecurity strategies with business goals. Walking boards through breaches in the headlines and the controls that could have prevented them helps bring issues to life.
- Demystifying the AI/cybersecurity nexus – Chances are, boards expect this of you if you are a CISO today. AI can enhance security, but it also presents potential risks like sensitive data loss. CISOs should educate the board about the implications of AI and help them understand the balance between leveraging AI for security and managing the associated risks.
The role of the CISO is clearly evolving, and alignment with the business is crucial for success. The most valuable ones go above and beyond their specialty to learn how they can advance strategic objectives. By acting as an educator and effectively communicating the implications of current threats and emerging technologies, CISOs can strike the right chord with directors and senior leaders.
But first, they must speak the language of the business.
What to read next
Digital architecture risk is a fiduciary responsibility of the board
Challenge Everything, Trust Nothing: What Boards Should Know About Zero Trust