Hacker, Researcher, and Security Advocate

Tag: ciso

Security IS a Business Function

I hear and see a growing number of security leaders and executives talking about the job of security to “enable the business”. This is a promising sign that we’re getting better in security spaces about recognizing our true role and demonstrating our value to the organization. However, what I’ve also discovered is that when I ask probing questions of these leaders, many of them do not understand *how* security enables the business. They struggle to articulate just what it is about security that drives business success. I believe this is because we still look at security as separate from the business and that we need to approach security as a business function.

When we think about business support functions like our finance teams, our recruiting teams, our accounts payable/receivable teams, we’re able to clearly visualize the direct impact each of those makes (or at least should make) in driving business success. In most cases we can articulate how those are business functions in terms of their connection to generating revenue and maximizing bottom line income. When we think about security however, those lines are often harder for us to picture. Often, security is thought of as a technology function, a few steps removed from the core business and lacking the ability to directly impact the business. So how do we start to shift from that mindset?

Image depicting a large canyon between a man at a computer labeled security teams and a woman at a white board labeled "the business lines"

Moving beyond traditional thinking

Traditionally, when security practitioners have been forced to justify our value, the default line of thinking has been risk reduction. Security teams focus on the theoretical (albeit perhaps inevitable) impacts of breaches, attacks, etc. and we try to justify how our initiatives and processes reduce that risk. Then we try to quantify that by talking about the associated cost avoidance that comes from reducing instances of threats being realized. This approach is problematic because, for those on the business side, these discussions lack context. The whole concept is ethereal, that process of quantification is difficult and hard to defend under scrutiny. The result is that we fail to gain committed support from our peers in the executive suite (yes I said peers, as that is what they should be, but that’s a topic for a different article).

If my relatively young tenure leading the security strategy for the CRA division (CRA, Credit Ratings Agency) of my organization has taught me anything, it’s the necessity of connecting everything to business viability, revenue, and bottom-line profit. I too have spoken for years about then needs of security to enable the business. Working for a VAR, I understood it from the perspective of justifying security purchases. So I keyed in on that story line and how to motivate executives to spend money on the tools and processes we need. When I worked for a cloud native security company, I got to see it from the perspective of how security can enable and grow the DevSecOps culture that so many organizations seek to leverage. But now, working in a global Fortune 500 financial services org, I feel like I’ve finally been able wrap my 16 years of cybersecurity experience around the idea of how we truly connect the dots.

Thinking like a creditor

Imagine, for a moment, being a CISO and trying to demonstrate to a potential creditor, how your cyber security program positively impacts the creditworthiness of your organization. For many in the security space, this seems like an impossible or maybe even laughable objective. Maybe, if we do take it on, we fall back on our laurels of cost avoidance through risk reduction. How many creditors are going to be interested in that story line? I can assure you, very few. So ask yourself, how do we take it further?

When a creditor is looking at your organization, they want to know how likely it is you’ll be able to pay off your debts. Sure, avoiding unexpected and unplanned security expenses plays a part but in the grand scheme of things that’s a very small influence. We need to instead elevate our security program’s influence on the bigger picture. Creditors want to know where you are headed in terms of growth, investment, innovation, market placement. Where you are today actually is less relevant, where you’ve been even less still. Even where historical performance is used, it is done so as a predictor of how your organization will do in light of future challenges. Therefore, to credibly demonstrate the significant component our security programs represent in that bigger picture, we have to speak to those forward-looking concepts.

Finding the holy grail

This is essentially that “holy grail” of business enablement that is being discussed with greater frequency. To do this we as security leaders need to change our prioritization metrics. This means programs designed around less traditional priorities that are the ones that drive where the organization is headed:

Depiction of a hand shake with a word map in the hands with  words such as cooperate, welcome, connect, integrate, communicate, assist, bridge, etc.
  • Product Agility – How is your security program creating the capability to bring products and enhancements to the market faster. Removing friction is important but do you actually make frequency of deployments, reduction of work-in-progress, and product/service stability KPI’s for your security program? If not, you’ve completely missed the boat on what “shared responsibility” (a core tenant of DevSecOps culture) means.
  • Innovation – Consider your standards and policies, are they built to ensure security and be flexible to allow exceptions, or do they actually encourage your business to find new ways to accomplish the same security objective? The former is hard enough for many security programs to understand. The latter is where we need to get to but very few make a focus. Netflix years back introduced the idea of the “paved road”. Making the secure path the easy path to deployment encourages secure practices. But what about introducing a higher level of empowered accountability. Encouraging our business lines to achieve an acceptable level of security in a way that best fits their business objectives?
  • Business viability – There are plenty fail-fast stories out there. Heck Alphabet has built an empire on the concept. But even when we do it fast, failure can still be expensive. Have you ever considered how your security program can support greater viability in the marketplace for your organization’s products and services? Security practitioners often consider reputational risks, but how can we move beyond and address other viability risks. Security programs need to focus on how we can improve customer acquisition. Can we remove friction from the customer onboarding process? Can we leverage our security expertise to better support customer success initiatives? Our programs should also consider how we can support brand alignment. Wouldn’t we all love to work for a business where security was a credible component of the brand? These are key priorities that should shape how we grow our security program.
  • Profitability – Sure, you’re probably thinking well that’s obvious. If I can reduce the cost of my program, I can make us more profitable. Well, if you’re a CISO working on budget that’s likely already stretched thin, is that really the approach you want to take to prop up the bottom line? Instead, make driving cost efficiency in the business line your priority and be sure to track it and demonstrate it. Drawing a connection between a security initiatives and reduced hard-dollar costs in the business line is a gold nugget that gains you support not just from the Executive Suite but also from the business lines themselves. Look for alignment between tool capabilities and business compliance requirements. Even better, build security processes and projects that eliminate the need for extensive business processes.

We as security leaders have to start thinking differently. We cannot continue to silo ourselves from the business and then preach about how we’re going to enable the business. We can’t continue to demand that security is everyone’s responsibility while abdicating our responsibility to making our development pipelines more efficient, our business practices stronger, and our marketing objectives more strategic. We share in that too. If we do this, we can start to get our organizations collaborating with us, leveraging our capabilities and thinking of us not as a necessary cost center but rather a true function of the business.

BISO - Business Information Security Officer, white text on black background

What is a Business Information Security Officer (BISO)?

A Business Information Security Officer (BISO) is a senior security leader assigned to lead the security strategy of a division or business unit. They provide a bridge from the centralized security function to the business. The BISO functions like a deputy CISO reporting into the business line.

The BISO role is becoming more common in larger organizations, especially those with more mature security programs. BISOs translate the goals and policies of the centralized security function of the corporation down to specific practices and procedures within the business lines. Additionally the BISO is responsible for providing business context back to the CISO’s organization to help shape future direction.

Why do organizations have BISOs?

BISO’s work closely with the CISO and business leaders to make sure that corporate security objectives are treated as business requirements. The BISO ensures that those objectives are met with processes and procedures tailored to best fit the unique inner-workings of the division. This often includes connecting security initiatives to compliance, audit, and regulatory requirements.

Having a senior security leader dedicated to the business unit creates an a single owner for the division’s security strategy. Programs like vulnerability management, compliance, and application security are typically owned and driven by the BISO. Additionally, the BISO serves as a consultative resource for technology and development teams for security related issues. All of this helps build credibility for security within the business unit and create a culture that recognizes that security is everyone’s job.

An organization chart with human clip art images

The BISO is also responsible for providing upward visibility into the security posture of the division. In many organizations, they are called upon to report the division’s state of security not just to the CISO but to the Executive Committee (EC) and Board of Directors as well. The BISO therefore must have a solid plan for measuring improvement and ensuring appropriate goals are established and tracked.

What are qualities of a good BISO?

Desirable characteristics for BISOs are very similar to that of a CISO. There are four key characteristics that a successful BISO should possess:

  • Broad security knowledge
  • Executive presence
  • Influencer leadership
  • Strategic thinking

Broad security knowledge

As you’d likely expect for a security leader, a BISO should possess a great deal of proficiency in the technical aspects of cyber security. The ideal person possesses a wide breadth of experience across the various domains. However, depending on the scope and make-up of the business unit, it is often beneficial to find someone that has more focused expertise with key strategic technologies. For instance, if they’ll be leading a division that is going through a focused cloud transformation, it would be beneficial for the BISO to have particular expertise in cloud native technologies.

Picture of a busy security operations center.

What is important to remember from a skills and experience perspective is that the BISO will be the primary owner of the security strategy for the division. Therefore, they need to be able to speak credibly to each of the technology domains while also working with subject matter experts when depth of expertise is needed.

Executive Presence

Since the BISO directs the security initiatives within the division or business unit, they must communicate up the leadership structure. Effectively communicating the risk and security posture of their organization to executives and the Board of Directors is a crucial skillset. This means rising above the technical implications and instead speaking in the context of business objectives and risks that are impacted.

Woman speaking at the head of a table during a board meeting.

In some organizations where the BISO is aligned to smaller units of the business, there may be less opportunity to communicate with the EC and Board. However, this does not make executive presence less important. The BISO still needs to be able to speak to business impacts and understand how their message is received at the highest levels of leadership.

Influencer leadership

While BISOs typically report through the business leadership structure, that doesn’t mean they operate in a position of authority over the technology and business groups with whom they’ll work. The BISO functions as the bridge between the business and the corporate security function. Therefore they need to be able to influence both organizations effectively without formal authority.

In the end, influencing actions by speaking to the motivations of each audience demonstrates stronger leadership prowess than ruling by edict. For the BISO it’s an absolute necessity. The best leaders clearly communicate the value of the initiatives they propose to those who will be asked to adopt them. A BISO’s worth lies in empathizing with their audience and addressing their concerns credibly and effectively.

Strategic thinking

The successful BISO is one who doesn’t get mired in the technical details. Instead they see the big picture, how all the various elements of the business and security strategy work together. They look at their work in terms of a long term vision. Individual tactical elements and mid-level initiatives all connect in some way to that vision.

That ability to see things from the higher level grounds the BISO to meeting their core objectives. They unite security strategy with business objectives to continuously improve the security posture rather than chasing a singular objective.

An Emerging Role

The BISO role is still very new. Even for the select organizations that have embraced the role, how they structure the role can vary. In the end, the goals are the same however. The BISO is there to ensure that security initiatives are implemented with business context in mind. The BISO advocates for security within the division and connects security to business enablement. BISOs are a valuable resource that will likely continue to be established within an increasing number of organizations.

Corner office board room in a skyscraper

Get a Chair At the Big Table

CISOs can drive the security discussion in the board room

Cyber security is increasingly becoming a top business concern for executives. A recent survey from The Conference Board found that US CEO’s rank cyber security as their top external concern for 2019. However, at a board level, security discussions with the CISO are relatively rare. Without this critical interaction, it can be challenging for a CISO to drive security strategy. Luckily, there are some steps security professionals can take to earn a spot at the table with the board.

Why aren’t CISOs being invited to the discussion?
Three women in a meeting
Photo by Tim Gouw on Unsplash

Numerous challenges stand in the way of a CISO getting in front of the board of directors. From reporting structure, to stereotypes about a CISO’s qualifications, security executives have many barriers to overcome. Understanding the challenges enables development of strategies to overcome them.

Organizational reporting structure

In most organizational reporting structures, the CISO reports to another executive below the CEO. As a result, organizations commonly view the CISO’s duties as a subset of another officer’s role. The board typically calls upon the higher ranking executive, commonly the CIO, COO, or CRO, if and when the discussion of security reaches the board room.

Perception of the CISO

A connotation that CISOs are too technical also plagues their ability to win a spot in the discussion. Developing a security strategy requires a significant level of technical knowledge. Indeed, CISOs sometimes struggle with presenting security strategy in terms that resonate with the board. Overcoming the stereotype of too technical for the board room challenges even the strongest CISO.

Security is scary

Despite the increased focus on security, all too often the board avoids topics of security. The complexities and uncertainty of cyber security makes it an untenable discussion point. Sure, directors want to keep the organization’s name out of the headlines. But at the same time, some treat cyber security like a toothache. Rather than go to the dentist, try to avoid even thinking about it. However, the problem doesn’t simply go away. Just like that tooth, ignoring it only makes things worse.

Earning a spot at the big table

Security leaders need to change the perception of the CISO role and make cyber security a regular topic for the board. This begins with establishing a level of credibility with higher ranking executives and the board. While this process takes time, establishing a solid report with the board ensures they’ll seek out the CISOs perspective.

Forget FUD, focus on the business

CISOs commonly make the mistake of presenting security in terms of Fear, Uncertainty, and Doubt (FUD). They share perspectives on the horrible things that could happen. However, playing off the fears of others does not motivate them to action, it causes them to avoid the conversation.

Instead, security leaders need to focus on how security strategy can improve existing business or enable new lines of business. For instance, demonstrating how an investment in Cloud Access Broker technology creates the ability to offer new cloud-based services, delivers a very compelling story line. Additionally, it demonstrates an understanding of the business beyond simply the technology.

Be prepared for the right questions

Responding with solid, tangible answers establishes expertise and confidence. In order to do so requires an understanding of how board members look at the business. Ultimately, when it comes to security, the board wants to know that appropriate measures are being taking to manage threats to the business.

Directors ask questions along the lines of “Could we get hacked today?” or “What would the impact be if we get hacked?” Answering these requires reading between the lines to understand what information they’re asking for. Fundamentally, they’re trying to assess risk and ensure that something is being done to address it. So share tangible efforts and programs that are in place, but do so in the context of critical business functions. Avoid talking about the latest technology you deployed, but instead describe the resiliance of business processes to recent publicized attacks.

Establish Visibility

Regular communication with the board can start without attendance at the meetings. CISOs should work with their top-level executives to establish a reporting cadence the with the board. A proactive approach, allows the CISO to shape the security strategy message and demonstrates competence and expertise. Furthermore, the regular cadence establishes visibility that builds a bridge into the board room over time. Ultimately, putting more security focused data in the hands of board members builds demand for further security discussion.

While it can be challenging, CISOs can drive the security discussion all the way up to the board of directors. Taking time to understand the board and their perspectives allows the CISO to exhibit their expertise and build confidence. Ultimately, as the board hears more from a competent CISO, their trust grows and their desire for interaction leads to a spot for the CISO at the big table.

Powered by WordPress & Theme by Anders Norén