How a CISO Improves Business Value

Many people see cybersecurity as a financial burden to an organization. It is a cost that must be endured to meet a regulation, or to avoid a potential loss.  Recently Bloomberg published an article that talked about the challenges to retain a CISO, and the on-going search to fill open cybersecurity roles. Good people are hard to find, and expensive.  This appears to strengthen the cost myth. 

Why don’t all organizations believe in this myth? The best organizations embrace the CISO as a vital part of their culture, and in a perfect world, nothing happens. No Breach. No Headlines. No upset customers. No investigations.   

 Then human nature kicks in.  Nothing happened. In organizations that haven’t embraced the CISO as key to their success, the focus then shifts to the cost of cybersecurity. Is it a lot of expenses for nothing?   

To be a cost, the organization must ignore the damage avoided. The revenue not lost. The fines not paid. The hours not spent on labor correcting the damage. In many organizations, cost avoidance doesn’t have value - until it isn’t avoided, and you have to pay the fine, or see your stock drop and your reputation tarnished. The value of cybersecurity often isn’t realized until after it is very costly and too late. 

 The failure to not see the value is a mistake. Avoidance alone should make every organization demand a world class CISO and cybersecurity team.  Because the CISO has a view across the organization that is unique. Valuable. Different.  The organization who values their CISO gains a competitive edge. 

 The CISO address the heart (information technology) and they collaborate with the soul (people) of the organization. The CISO understands the details (contracts, regulations), all while championing the organization’s vision across every medium available. They make sure that the long-term strategy is part of the technical team’s goals. They ensure their peers understand the holistic risk so the forthcoming privacy regulation is factored into next year's growth plans. 

 The CISO is the Trusted Advisor who taps into the organization’s people skills while connecting the security dots, ensuring the business technology is resilient, prepares and leads the incident response, and is a voice of reason while helping to lead the organization. 

 When you look at what a CISO does in non-technical terms, they allow the organization to grow, operate, and innovate anywhere in the world, while replacing risk and uncertainty with security as part of the cultural DNA. 

 How does your organization view data masking (protecting data while making it functionally usable), or encryption? When used together, not only do you lower your risk of a data breach, but you enable the organization's data for ethical use in other areas. The CISO opens the potential for your data to be used in responsible ways that don’t exist without a robust cyber culture. Data analysis without exposing personal information allows new insights to be unlocked. Cybersecurity done right isn’t just a value add. It fosters innovation. It’s the catalyst for growth. It’s an enabler of change.  

 Wired published an article where a researcher had to order multiple adult toys for work, and ended up ruining her ecommerce shopping recommendations. If the site had implemented the “Right to be Forgotten” (i.e., the ability to have certain life events removed from third parties), then this researcher could remove those purchases and get recommendations of items that are of value. The right to be forgotten is a requirement of GDPR (European privacy), but the CISO understands how this and other regulations can be used to improve sales. In this case the researcher could “forget” the research purchases, and get items of value to her in her recommendations. Items that can lead to increased sales. 

 How does an organization grow to realize these hidden gems? How does new regulation turn into sales growth? How can protecting your intellectual property / customers’ data / “secret sauce” become innovation? How can industry requirements be used to enhance growth? 

 The answer is simple:  Find the best CISO and don’t let them go. Empower them to build cybersecurity into, and aligned with, everything. Their actions will drive growth. Embrace cyber as part of the cultural DNA to allow operations to happen anywhere securely. Use the data you have ethically, and drive AI or Big Data innovation for more value.  The CISO is the multiplier every organization requires. Looking to multiply the CISO’s value higher? The CISO’s work allows organizations to tap their full potential and to use that potential securely for maximum value.   

An organization can view the CISO as a cost and be at risk for headlines similar to Capital One’s recent data breach, or Facebook’s settlement for $5 billion dollars while the world’s government agencies debate if they should be broken up. 

World-class organizations embrace the value of the CISO. They enable the organization to use the information they need.  They enable the secure deployment of the devices their customers demand.  They allow safe access to information in the geographies where organizations need to operate.  They analyze information without putting your customer’s personal information at risk. 

The choice is clear.   

When an organization places CISO and cybersecurity on the cost side of the ledger, they also accept, but often don’t acknowledge the risk. Value the CISO and expect a return of 10x, 15x, or even 50x their salary and know that the organization made an informed investment that reaps dividends year after year. 

It is time to invest in a CISO and the benefits they bring to the organization. 

About: Stephen Gilmer is an IT Professional who has traveled extensively domestically and internationally to advise clients on how to grow their business securely. He has worked with multiple government entities in his travels, with private and public companies, big and small. He enjoys public speaking, and helping companies learn how to make cybersecurity part of their DNA.  

#cybersecurity #security #executivesandmanagement #businessintelligence #managementconsulting #CISO #CIO #informationtechnology #datacenter #informationtechnology #IT #Business