How CIOs, CTOs and the rest of the C-Suite Can Better Support CISOs

There are a variety of reporting structures for CISOs, such as reporting to the CTO, CIO, CFO or CEO. No matter who the CISO reports to, the CISO is still an integral part of the C-Suite. Yet despite this, CISOs don’t always receive full support from the rest of their C-Suite peers, which can cause friction and open up the business to risk. In this post I’ll cover how the rest of the C-Suite can better support their CISO peers and how doing so will actually help them achieve their goals as well.

Strategic Planning

First and foremost, the CISO needs to be included in strategic planning sessions about new markets, mergers and acquisitions (M&A), divestitures, new product launches and new customer types. Each of these areas will create new security risks and regulatory requirements that can have lengthy lead times for addressing. The CISO needs to be informed about product roadmaps, new features and new technology initiatives. If the CISO and security group are left out of these strategic discussions the business could be forced to delay a new business opportunity or worse enter the new opportunity without properly managing the risks.

Master The Fundamentals

Second, CTOs and CIOs need their teams to master and execute on the fundamentals. This means things like asset inventory, logging, observability, QA, QC and operations support (event notification and cost analysis). The reality is the rest of the business needs these things and these are not problems the CISO should own, yet if they are not in place they will cripple a security program. For this reason, a lot of CISOs will try to tackle these issues, but they won’t be successful without support from the C-Suite that actually owns these functions. So, one of the best ways the CTO and CIO can support the CISO is to lead the way on the heavy lifting for these fundamentals that way the CISO can draft off of these and focus on making their security program as effective as possible to manage risk.

Accountability

Speaking of mastering the fundamentals, what we are really talking about is accountability. The rest of the C-Suite needs to hold their teams accountable for completing or resolving security issues. This could be things like resolving technical debt, completing training, fixing vulnerabilities or appropriately prioritizing security requests. If accountability isn’t enforced at the C-Suite, then the rest of the business will become siloed and ignore other initiatives across the company. This can cause security issues to pile up and open up the business to risk that will be impossible for the CISO to manage. By holding your teams accountable and partnering with the CISO function you will create a partnership that can accelerate the business instead of creating unnecessary friction.

One easy way to get visibility into what your teams are doing, so you can drive accountability, is with an exceptions process. Exceptions are a common process for a security function and it allows the security team to have escalating levels of approval based on risk. It also allows for reporting and metrics about how many exceptions a team has requested, how many have been approved and how long it takes the team to resolve an exception. This can provide other C-Suite members valuable insights into how their function is performing with respect to their security commitments and it also allows the C-Suite to drive accountability into their functions by acting as the senior executive approver for critical risks in their function.

An exceptions process doesn't have to be just for security. The entire company can benefit from an exceptions process such as for purchasing, contracts, sales, finance and engineering. Exceptions across the company can give visibility, promote good friction and drive accountability.

Support Good Friction

There are two different types of friction in a company and we have all experienced them. Good friction exists to help slow people down to consider their actions or minimize risk. These are processes like confirming large financial transactions or requiring validation of someone’s identity before using a critical resource. Bad friction wastes people’s time and is adversarial. These are processes that are inefficient, people that exercise unnecessary control over others or people that never follow through on activities. This type of friction needs to be avoided.

The rest of the C-Suite can support the creation of good friction with respect to security and how security engages with their teams. Good friction can actually accelerate the business by front loading activities where they will take less time, instead of trying to resolve issues later in the lifecycle where they are incredibly difficult and expensive to resolve. Some examples of good friction are security checks as part of the CI/CD pipeline, like SAST, automated attack simulation, or automated compliance reviews. When the rest of the C-Suite supports good friction it will actually make everyone’s job easier and less risky.

Help Advocate For Security

Another way the rest of the C-Suite can support the CISO is by helping to advocate the value of the security function beyond being an insurance policy or compliance function. While the security function may be viewed as a cost center, it can actually drive revenue and generate value. By including the CISO in the strategic planning process, CISOs can advocate product features with customers and engage with customers in a more proactive way. CISOs can also work with the go to market and finance teams to create processes for tracking customer engagements by the security team. This can shed light into the direct and indirect ways the security function is driving revenue, which can change the perspective of the security function from simply being a cost center. Having other C-Suite members advocate and support the CISO with customer engagements, building revenue tracking and involving the security team in all phases of the business can help improve the value of security and reduce overall risk.

Cultural Change

The last area the C-Suite can help the CISO with is cultural change. The Chief People Officer or Chief HR officer can work with the CISO to create and adapt comp structures for the security team that reflects the competitiveness of the market. They can also work with the CISO to create career paths, training and job specific performance metrics for the security function. The Chief People Officer and the HR function are also critical partners for the CISO to backstop security policies and enforce these policies across the company. HR can create and enforce consequences for policy violations, such as lack of eligibility for promotion, and they can also help manage the worst offenders with termination. HR can also set incentives to reward good security behavior such as giving spot bonuses, rapid promotions or even tying bonuses to completion of key security goals.

Outside of the culture of the security function, the rest of the C-Suite can set the tone for the culture with respect to how the company should view and engage with security. In particular, the C-Suite can lay the foundation for a security first culture and hold people accountable for implementing this throughout their functions. They can also shift the culture by holding business owners accountable for the things they own. Lastly, if the rest of the C-Suite carries KPIs, OKRs or other annual performance metrics as part of their annual goals this can help cross pollinate and incentivize the entire company to execute on effectively managing risk.

Wrapping Up

Close partnership with the rest of the C-Suite is essential for the CISO to be successful. The rest of the C-Suite can support the CISO and the security function by involving the CISO in strategic planning, driving accountability, mastering the fundamentals, supporting good friction, advocating for security and helping to drive cultural change. By supporting these areas, the rest of the C-Suite will set the tone from the top and work with the CISO to govern the risk of the business in a way that allows it to eliminate bad friction, accelerate growth and remain competitive.

This post is archived at https://blog.370security.com/2024/07/31/how-cios-ctos-and-the-rest-of-the-c-suite-can-better-support-cisos/