CISOs Need to Adopt a Service Provider Approach
Durbin says that like the CIO, the CISO now needs to adopt a more customer or account management focus on their clients--to become service providers to the business. In other words, the CISO and the security function need to stop being roadblocks and traffic cops in favor of becoming facilitators that help the business achieve business goals in a secure manner.
"They need to really be moving beyond a security strategy," Durbin says. "I am seeing much more of a trend where they're saying, 'You know what? We don't have a security strategy anymore. We have a business strategy. We embed ourselves within the business strategy and roll out together. If, from a business standpoint, we consider there's significant enough value in going down a bring-your-own route, my job is to figure out how do we do that in a secure fashion."
"CISOs need to lead and drive engagement with the board--and start by changing the conversation," de Crespigny says. "They need to translate the complex world of information security and information risk into easily understandable issues and solutions. CISOs must change their way of thinking and the resulting conversation, so that information risk can be considered alongside other risks that boards oversee. As information security leaders, we have to shape the way we talk about information risk management for each audience."
That doesn't necessarily mean that the CISO will walk into a board meeting and chew the fat, Durbin says. A CISO who reports to the CFO might bring the message to that executive, relying on the CFO to raise the issues with the board. But whoever carries the message, the important point, he stresses, is that the message cannot be statistics about levels of malware, it has to be about how the security function can assist the business in achieving business goals.
Tips and Warnings to Help the CISO Engage the Board
In a recent report, Engaging with the Board: Balancing cyber risk and reward, the ISF presented a four-point plan for CISOs to engage the board: define, prepare, engage and review.
At the "Define" stage, CISOs must understand the organization's business and its perception of information security, understand the board and define the scope of the security program. The ISF offers a number of tips, warnings and notes for this stage:
Understand all the stakeholders, not just the internal ones. These include the SEC, FCC, FSA and ICO as well as the board and audit committee.
Don't remind board members of their fiduciary duties--instead show them how you can help them to discharge those duties.
Find out how information security is viewed by the rest of the organization--you want to be seen as a business enabler.
Sign up for CIO Asia eNewsletters.