Which makes a CISO shake more: An email alert the organization is under a cyberattack or a summons to address the board?
In theory the answer should be neither, because its part of the job to be prepared. But the truth is too many chief security officers are unprepared to face the executive team and/or the board of directors.
That’s the feeling of Forrester Research senior security analyst Martin Whitworth, who ought to know: Before joining the analyst firm in March he spent 10 years as a CSO or security leader in a number of U.K. firms, including British Energy (the country’s nuclear power generator, now part of EDF Energy), the Coventry Building Society (a savings and load with about 50 branches) and the UK Payments Council (a trade association for the payments industry).
In the 1990s he was a Rome-based security architect for Toronto-based DMR (now Fujitsu) Consulting.
Recently he wrote a report for Forrester customers entitled “Security Leaders, Earn Your Seat At The Table.” I asked him in an interview to expand on why CISOs should stop fearing speaking to the people at the top, and how they should elbow their way to influence.
Whitworth said he wrote the paper “out of frustration born out of experience…I’ve attended so many peer group meetings of CISOs on one hand complaining they’re not getting any attention they need or the level of responsibility they desire, and then discovering they haven’t done the basics and got themselves engaged as part of the business process.”
Too many security leaders spend too much of their time on day to day technology issues around security rather than on developing their business skills and their business knowledge,”
One key is understanding that executives don’t want to hear about technology; they want to hear about risk. “Every day they talk about risk — operational risk or financial risk. They understand risk. So CSOs should make sure when they talk about information security risks or compliance risks we present them in exactly the same clear way.”
CSOs are missing “the writing on the wall,” he said: If they don’t learn how to work with the people on the top either they won’t get the budgets needed, or they would be pushed aside by the CIO or another C-level exec.
Here’s what he advises CSOs do to ensure their voices are heard:
—Find a mentor on the board.
“Without fail there will be someone with more than a passing interest in information security … Seek that person out. And it becomes a two-way street: You’re going to be able to use that individual to bounce ideas, educate them more on the taxonomy of information security. You can also use them to teach you about what you’re doing wrong. (ie: don’t be so verbose before this person, or pre-brief these people.)”
—Know what’s going on in the company.
What’s being said about the organization in the press and social media? Is the company about to embark on an expansion or acquisition that will change IT security needs?
—Have a roadmap.
Know where you’re going in your security plan, how the organization is going to get there and how much it will cost. And if there are milestones, make sure they will be met.
The opposite is also true: Don’t spring a surprise on the board.
—Know what’s going on in your industry
Do you have connections with peers? It’s good to be able to talk with others without breaking corporate confidences to find out if they’re seeing what you are, and how they solve problems. “If you start sharing information on a trust basis that can really aid your presence within your organization.
“Typically boards ask two questions in my experience to start things off: How secure are we — and CSOs should know that — and how are we doing against our peers” — both in security and spending.
—Know your audience –where board members have come from, “these are really important people you’re going to talk to. It behooves you to know who they are, where they come from, what their particular areas of interest and influence are.”
Whitworth admits the biggest mistake he made as a CISO was telling a board things it wasn’t interested in. Once he tried to make a presentation on regulatory compliance, which Whitworth believed was very important.
“I commenced what was destined to be a 30-page PowerPoint presentation. I believe I got half-way through the second slide before I was politely told, ‘Maybe you want to present this as a summary at the next meeting.'”
