Generally speaking, Chief Information Security Officers (CISOs) came up through the ranks of IT, corporate security or law enforcement, not the business management path. Now, CISOs have to evolve to think and speak like experienced business people. What's going on? This infographic outlines four forces coming together to push cybersecurity leaders out of their normal skillsets and comfort zones.
Rise of the Business-Savvy CISO
Generally speaking, CISOs came up through IT or from a corporate security or law enforcement background.
NOW CISOS HAVE TO EVOLVE: TO THINK AND SPEAK LIKE BUSINESS PEOPLE.
WHAT’S GOING ON?
4 Forces are coming together to move CISOs beyond their comfort zones…
1. New Risk Landscape—Bigger, More Complex
- The move to The Cloud and other technologies outside traditional central enterprise control complicates security.
- Damages from cyber threats now go far beyond IT and are now a major concern to senior management and boards.
- Threats are escalating massively, from ransomware to data theft.
2. New Relation of Risk and Security to the Business
- Cyber risk = business risk for management and boards as part of their fiduciary and regulatory responsibilities.
- The rest of the business demands communication in business terms = dollars and cents.
3. Old Models Not Cutting It
- Asking for budget based on “Fear Uncertainty and Doubt” (FUD) has become like the boy who cried wolf.
- “Qualitative” risk models with heat maps or “High”, “Medium” “Low” ratings are too squishy.
- Compliance checklists don’t give guidance on how to prioritize security efforts against risks specific to an organization.
4. Move to Proactive Choice on Risk
- Companies have come to realize that 100% security is impossible.
- Therefore risk posture is a choice.
- Organizations must make conscious, well-informed, cost-effective decisions on security investments.
The Bottom Line:
CISOs are meeting the challenges by
- Helping organizations understand cyber risk in financial terms
- Enabling cost-effective prioritization and spending decisions