Monstrous Responsibility Meets Diminished Reality

While we have seen some pretty remarkable changes in how the role of the CISO is perceived by the rest of the C-suite over the past 5 years, Cybersecurity is generally still treated as a back-office function and most CISOs are ill-equipped to propel strategic influence.

In spite of the enormous investment that companies have made to secure systems and protect customers’ data, the office of the Cybersecurity leader struggles to become an integral and proactive part of strategy, operations, and culture.

Among the millions of words written daily by analysts and editorial professionals, are repeated acknowledgements of the monstrous role, responsibilities and duty that the CISO must mount on a daily basis, yet when companies make big strategic decisions about business models, M&A, and digitalization strategies, cybersecurity remains an afterthought and the CISO is nowhere to be seen.

The result is that most companies enter into these waters without guidance from the one person who understands the depth and shoals that must be navigated for safe passage. Not only do they lose value, they increase cost and add burden by expanding the threat landscape and blowing up their risk posture at the same time.

History treated decisions like this kindly when cyber-threats were slow and simple. This of course is no longer the case.

Modern cyber-threats operate at the speed of light and will soon accelerate even faster with assists from 5G. Today’s malware is smart, nimble, polymorphic and driven in many cases by machine learning algorithms and artificial intelligence. Threats multiply through the embrace of connected smart devices. It is well past the time for functional executives and board members to re-examine their expectations of cybersecurity leadership and to accept the fact that the shadow they see is indeed being cast by the 800-pound gorilla in the room.

Business context drives choices. Balancing regulatory compliance against risk and customer value in cost-pressured markets yields decision points that C-suite executives must deal with daily. It is incomprehensible that whether you’re a financial services company or an electric power grid operator, you would enter that decision process without a solid understanding of risk, threats and probabilities.

It is one thing to prioritize growth over business continuity, but if you operate in a hurricane zone, you don’t ignore the risk factors associated with natural disasters. Every risk decision impacts operational activities and end’s up driving business outcomes, so burying the cyber-risk expert in IT or even combining cyber-risk with the IT function would be the equivalent of relegating legal to accounting.

No one does that so why do we keep doing this?

Because most businesses’ digital infrastructure runs across a broad map, CISOs must have impact authority within every business function. This lateral impact positioning where the CISO can influence change in R&D as easily as in manufacturing is not up to the CISO. It is up to the board and the CEO to declare, and without that level of support, the CISO will never be able to orchestrate change of any kind.

Unless Cyber KPI’s are assigned to each business unit, and unless LOB owners are encouraged to partner with the CISO with the same level of enthusiasm characterized by their partnership with IT or external consorts, any attempt at leveraging digitalization initiatives is bound to expand the threat landscape and elevate risk.

On the flip side, CISOs must develop the skill-sets and outlook necessary for a broad world-view that is the precursor for business enablement. Unless the CISO understands the business objectives and the process that the C-suite and board uses for evaluating and managing risk, so that s/he can communicate and build influence and leadership in language that relates to business strategy and enterprise risk management, it will be nearly impossible to enable business impact. Cyber-risk is only one component of the overall risk ecosystem, yet it needs to be assessed and managed on an equal plane with competition, disruptive innovation, internal cultural resistance to change, natural disasters and regulatory challenges.

CISOs and CEOs must accept that the best person to lead secured digital transformation is not the person with the most granular understanding of the technology enablers, but rather the person who has learned to abstract technical concepts and translate them into messaging that is consumable by the most lay members of the executive team. In addition, the CISO who cannot create the emotional connection necessary to sell their program to LOB owners, will likely not succeed in advancing the most security-centric interests of the company.

While today’s CISO must figure out how to grow this skill set, today’s CEO must do a better job at finding CISOs who are capable of injecting energy and a passion for risk management into daily dialogue with the rest of the C-suit.

Proper Cyber-risk controls and rigorous cybersecurity management will impact business risk mitigation, reduce regulatory friction, develop and maintain the proper framework for the application of technology, tools and processes, assure that digitalization initiatives provide a return on investment without trading off efficiency gains in exchange for increased security and create competitive advantage at the same time.

Without the influence of a proactive CISO who has been accepted by the LOB owners and endorsed by the CEO, businesses will continue to pursue digital transformation strategies unencumbered by the guardrails that can and will mitigate new forms of cyber-risk.

There are no good outcomes possible from continuing to ignore the gorilla.