Today’s security leader is also a business executive. Here’s how to thrive in both roles.
Today’s chief information security officers has to weigh in on board-level decisions that affect the future of the business. A CISO’s business acumen has become just as important as security expertise in an increasingly competitive landscape; executives rely on the CISO to map security programs to business objectives to promote growth and generate revenue.
It’s essential that CISOs align their security strategies with the overall goals and mission of the enterprise. In a digital world, data security not only reduces risk and prevents negative outcomes, it contributes to the forward momentum of the business.
Splunk has been helping organizations apply data to security, IT operations and business innovation for more than 15 years. Here, from our ebook “5 Key Ways CISOs Can Accelerate the Business,” are five best practices that uplevel a CISO’s contribution to business success.
1. Understand how the CISO role has evolved.
Traditionally, CISOs care about security strategy, not profit margins. Where a breach or security flaw was detected, their approach was to fix the system rather than transform the business. But in the Data Age, the CISO is expected to create value as well as prevent disaster. That means, for one thing, accelerating the velocity of the business, not just saying no to every proposed change or innovation. Understanding these expectations is vital to CISO success.
2. Know your board’s business needs.
The streams have crossed: Cybersecurity is no longer too technical and abstruse for business execs, and CISOs can’t put themselves above considerations of financial risk, market opportunity, and the bottom line. CISOs need to understand what drives growth and how to speak “security” in practical, real-world terms that the board can understand. Not every security expert is good at business-speak and organizational politics — but for the CISO, it’s soft skills are essential.
3. Embed security into your business strategy.
There’s not a security expert alive who isn’t furious when security is the last box checked when expanding infrastructure or developing a new product. CISOs must use their more business-forward roles, and those soft skills, to ensure that security strategy is part of business strategy, from the first meeting. Building security into the development process establishes trust with the customer, promotes sales and gets products to market faster, therefore driving revenue. Incorporating security into project and business planning also helps mitigate risk, especially when working in agile environments with short release cycles.
4. Create a strategic roadmap.
You need a framework that coordinates the security aspects of technical developments and maps your security initiatives to long-term business goals. First assess the current state of security, and outline goals for the next 12, 24 and 36 months. Start at a high level, verifying mission, vision and goals of the business. Then look at security on a more granular basis. Finally, update the roadmap (from its strategic goals to tactical planning) as the business, the threat landscape and the technology stack evolve.
5. Determine how security solutions can help.
Just as the CISO can’t personally handle every aspect of security, your managers and front-line analysts can’t do it all, either. There’s too much data, too many bad guys, and too many threat vectors. Modern IT security demands a powerful platform that can ensure security and brand reputation won’t be compromised — they need a scalable, overarching security solution. (We happen to know where you can get one of those.)
CISOs have a lot on their plates these days. They’re keeping the bad guys out today. They’re improving security posture for tomorrow. They’re ambassadors to the C Suite and the board of directors for the entire concept of security, and they’re framing it in terms of business value and brand imperative. The role of the CISO is expanding at least as fast as your organization’s attack surface. But with an eye toward business value, CISOs can not only be more successful in their mission, but can raise their position within the business.
For more on the complex new role of the Data Age CISO, read 5 Key Ways CISOs Can Accelerate the Business.