Chief Information Security Officers (CISOs) often find themselves under pressure on two fronts. On one, they are constantly battling against evolving cybersecurity threats, while on the other, they have to continually justify the value they deliver to their organisation.
This internal source of pressure tends to be even greater when economic conditions are uncertain. Financial managers are on the hunt for potential cost savings and may struggle to understand the extent of the value that security teams deliver.
Focus on business operations protection
The first step for a CISO keen on improving management’s understanding of the security function is to become familiar with all aspects of the business. This is because, at the end of the day, you can’t protect what you don’t understand.
Time should be taken to examine exactly how the business goes to market and the products or services it delivers. Everything from how clients are found and managed to all the processes undertaken by staff should also be closely studied.
A CISO must also clearly understand external components such as supply chains, critical partnerships, and the wider competitive landscape. By doing this, they and their team will have a much clearer picture of exactly what needs to be protected.
Prioritising resources and budgets
Once this clear picture has been obtained, the CISO can work to ensure that security spending and activity are targeted where they can deliver the most value and be closely aligned with business needs and objectives.
When steps have been taken to better align business goals with the security strategy, the next task is to begin the process of building trust. Senior management must be encouraged to understand why specific security measures have been put in place and the protective value they deliver to the organisation.
This can be achieved by offering regular updates on security initiatives and projects. Details should also be provided on any incidents that have occurred and the response that was taken.
CISOs should also take time to update senior business managers on the evolving threat landscape and what this means for the organisation. This is the time at which the need for any additional funding can be raised and discussed.
Becoming a business partner
Taking these steps can do much to shift the perception of security in the business from being a cost centre to a value-adding partner, and this can be achieved from both a business and a financial perspective.
On the business front, significant progress can be made if a CISO runs the security team like a business. While maintaining organisational efficiency and metrics, a CISCO should define what achievable cybersecurity capabilities within their organisation are.
It’s also important to be transparent about any limitations that are preventing them from providing certain services. This could be anything from budget restrictions to a lack of skilled and experienced staff. This transparency will help CISOs to set consistent expectations and build trust with both other senior managers and the wider staff.
On the financial front, it is important for a CISO to constantly think like a business owner. While growth is almost always a focus, it may not necessarily always be the most important goal because, at any moment, the economy may demand a different approach.
A company CISO should be constantly asking whether the security team is making the right financial choices when it comes to investing in new tools and protective measures. They should also constantly monitor whether they are delivering value for money.
By shifting their thinking in this way, CISOs can be sure the value being delivered by their security team is recognised at all levels of the organisation. This will make it easier in the future when increased budgets are required, or strategic shifts are proposed.