We always talk about the changing nature of cybersecurity with respect to the amount and types of attacks, but the roles and skills needed in cyber are changing and shifting as well.
In this week’s Reimagining Cyber podcast, “Cybersecurity and the Modern CISO,” Parham Eftekhari, Senior Vice President and Executive Director at Cybersecurity Collaborative, discusses the changes he’s seen in the CISO role and how the modern CISO can gain support from business line leaders to executives alike. Eftekhari’s 15 years of experience working with both the federal government and in the public sector, as well as co-founding GTRA and the Institute of Critical Infrastructure and Technology (ICIT) offer a unique perspective on the shifting role of the CISO.
The Modern CISO – Not just about the technology
“They’re becoming more and more business leaders and business executives,” Eftekhari said, regarding CISO’s. It’s become less about implementing technology, and more about blocking and tackling.
“What's really important for the CISO to do is understand how to navigate the business side of the organization, to make sure that the priorities that they have as the head of the security shop get elevated to the business leaders.”
The modern CISO is the liaison between the executive team and business line leaders. A Deloitte study stated that CISOs spend 79% of their time working with business line leaders, explaining what they do and why it is important. A Sales leader doesn’t care about how his pricing and discounts are protected; he just wants to know that they are and that the cyber strategy has been thought through enough to be included.
“If you can come to them and say, ‘I've identified these risks to the business to what you're responsible for, and I can help you mitigate those risks by implementing some security strategies, and here's what they are in business terms…I can reduce the risk of hackers attacking the network.’”
By speaking in terms business line leaders identify with, CISOs are more likely to garner their support. Make it important to them. Why should they care?
When working with business line leaders, Eftekhari recommends:
- Identifying business priorities and include them in cyberstrategy
- Speaking with business line leaders in terms that they care about – make it matter to them
- Incentivize business line leaders by tying a portion of their compensation against compliance with CISO initiatives
Pull up a chair
Working closely with business line leaders gives CISOs an opportunity to be pulled in and have a seat at the table when smaller-scale technology initiatives are discussed as more and more business line leaders roll out things like Cloud or migrate to Cloud-based applications. With a seat at the table, CISO’s can impact change at the ground level.
“To do this, either the CISO, you know, him or herself needs to be have the, you know, the perspective or the personality, frankly, to be able to go out and reach out to these business unit leads and just foster those relationships and, and get the buy in individually (which may or may not be realistic and may not always be feasible),” Eftekhari says.
“Or, you need somebody from the top to put in governance and put in policies and mandates the business unit lead saying, ‘If you're going to spend money, one of the things you need to do is make sure that the CISO … signs off or reviews the contract.”
One goal, one team
CISO’s, business line leaders, and executives all need to work towards one unified cyber goal. It’s not just the micro-company-level that needs to do this, it’s across governments and the private sector as well.
“I think the government needs to do a, a really strong job advocating, and educating the CEOs of major companies that, you know, this is an area where we actually need your help, and it really should …I think it should become a part of corporate responsibility and corporate ethics, just like many other things have come over the years.”
With everyone rowing in the same boat, focused on the same objective, they’re more likely to achieve their goal.
What are your tips and tricks when working with business line leaders? Share them below!
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberResilient.com.