It’s become an all-too-familiar refrain: CISOs advocating for a seat at the senior management table, yearning for a voice in decision-making equal to those they view as their peers. Given how critical cybersecurity is to the prolonged success of modern businesses why hasn’t it happened yet? What CISO behaviors are holding them back? What changes are necessary for a CISO to earn a place with the top brass?
Joel Fulton, CISO at Splunk, highlights the crux of the problem in a Dark Reading article: short-term thinking. As Fulton explains, CISOs are under tremendous pressure to prove their effectiveness quickly, but have one foot out the door due to a lack of upward mobility and a desire to leave before a major breach can rightfully be blamed on them. This leads to a focus on shiny new security tools and projects that are quickly achievable at the expense of gaining a true understanding of the organization’s risk exposure.
But is that what Boards really want from CISOs? It’s easy to chart progress and report percent completion on the implementation of a new security tool, but how is the Board to trust that real risk mitigation is occurring? CISOs often report that a lack of serious cybersecurity culture and active participation with executives leads to job dissatisfaction — is it any wonder these conditions exist when CISOs aren’t taking the lead in building a risk culture that speaks the language of the business?
Fulton’s article clearly lays out the problem; now here's a solution: CISOs can start to claim their spot at the executive table by presenting a clear picture of the organization’s risk landscape backed by defensible, quantitative risk analysis that articulates risk in a language the business and the board understand: dollars and cents.
Showing business value by analyzing the risk landscape and offering mitigation strategies that will actually move the needle on reducing risk furthers the CISO's case for a role in key decision-making. Instead of implementing expensive new tools by appealing to “best practices” or “benchmarking,” CISOs can justify their security investments in terms of amount of risk reduced per dollar spent.
The best strategic thinkers in the CISO profession are already far along this path.
- Transformative CISOs like Grant Bourzikas at McAfee are moving their organizations off the old thinking (read this interview with Grant).
- At public or regulated companies, CISOs are looking to get out ahead of regulators demanding more, and proactive, disclosure of cyber risk (see the SEC's guidance document).
- The FAIR Institute, the professional organization for CISOs to learn and discuss risk quantification, just passed 7,000 members.
- And the leading technology analyst firm essentially warned CISOs that If you're not quantifying, you're not truly evaluating cyber risk (read Gartner Names Risk Quantification a Critical Capability of Integrated Risk Management).
Using the RiskLens cyber risk quantification platform, CISOs can change their organization’s culture and engage business executives by speaking the same language: dollars and cents. Based on the FAIR Model, the international standard model for risk quantification, RiskLens can help CISOs cut the short-term thinking, justify projects in economic terms, and earn the trust of the senior executives they long to join at the grownups’ table.
Why Choose RiskLens? Watch This Video Webinar