Chaim Mazal, pictured, Senior VP of Technology and CISO at the device management product company Kandji, offers three tips for successful CSOs.
The number of cyberattacks in the UK has grown rapidly over the past two years. Cyber criminals are ever more creative in the ways they take advantage of newly adopted hybrid working practices and the latest geo-political events. According to the UK Government’s Cyber Security Breaches Survey 2022 survey, nearly a third (31per cent) of UK businesses experience cyberattacks or breaches at least once a week. The result? Cybersecurity has moved from being a tech issue to becoming a wider business problem – with around four in five (82 per cent) of boards or senior management in the UK rating cyber security as a ‘very high’ or ‘fairly high’ priority.
With this, the role CSOs play as part of the C-level table has changed too. The part they play in effectively communicating security threats and courses of action to the wider business is ever bigger – drawing a clear road map to ensure the organisation’s security at all levels. Nowadays, CSOs have become the main business influencers. But how do they seed new ideas or explain threats to other C-level executives at the table? And how can they work more closely with the C-suite to boost overall security culture within the organisation? A few guidelines follow.
Communication is key
There are some really skilled security leaders out there, who surely have a great knowledge and understanding of security vulnerabilities and the associated risks that come with them. However, when it comes to communicating these to the business – all this knowledge and expertise may be seen as a blocker by those who don’t know their purpose. This is not the only skill needed to be able to protect their business from external threats. The solution? CSOs must act as a ‘translator’ between the technical team and the business – explaining details and risks in terms and language that the wider business can understand and act upon.
A good way CSOs can easily illustrate security vulnerabilities and how they could potentially impact the organisation is through a standardised framework. Serving as a risk register, a good framework can help CSOs identify a threat, explain the probability that it will affect the organisation and present the most likely overall impact it will have. The CSO should maintain and share this risk register with the business, be able to prioritise identified risks and participate in discussions about the budget needed to resolve the high-priority issues in a timely manner.
An effective risk register must be separated into individual sections that align with different units within the business or also even different stakeholders – infrastructure, web applications, internal systems or physical security. By outlining identified risks to the relevant business unit, a CSOs can open a dialogue with different stakeholders, which ultimately enables them to convey how security is relevant to each different business unit.
CSOs are there to secure, not to block
Security professionals may often be seen as ‘blockers’ to all – internal processes, workstream or even product development and rollout. This is a perception CSO’s have earned by saying “no” when everyone else in the business says “yes”. The solution is not to join others by saying yes – it’s about explaining “why not”. It is vital that the CSO can provide the right level of detail to help leaders make smart business decisions that enable business success and resiliency in the long run. It’s about being able to communicate how and why the success of the business is dependent on security and empower a strong security culture where all employees are invested in supporting, maintaining, and respecting security practices.
Focus on the outcomes
While identifying, prioritising, and communicating threats is a key part of the CSO’s role, they should also be able to work toward tangible, positive business outcomes. This means focusing on and communicating how despite the identified risks, the precautions taken, or the potential delays expected, the final result will deliver a more productive and resilient product, service or organisational approach. After identifying the threat, the CSO should find a clear road map past the risk while ensuring that potentially affected business units are secure. It’s about mitigating risks whilst simultaneously helping the business achieve larger goals. Seeing security issues from a wider business perspective is vital to this as it will help them be perceived by the C-suite as an enabler – not a blocker. This is invaluable to any CSO looking to build their profile within an organisation.
In today’s world of increasing cyber-attacks, constant fraud attempts and overall heightened security risks, the role of CSOs in influencing the C-level table is more important than ever. CSOs who are understood by their C-level peers as effectively keeping the company secure whilst enabling business decisions are taking their rightful place at the executive table.
