For the past couple of quarters, I’ve been leading regional working group sessions focused on increasing the CISO’s clout with the Board of Directors and the C-Suite. InfoSec often lacks the influence and budget it deserves, and these CISO-only sessions
have been helpful in revealing ways around these common problems.
Here are three practices, gleaned from leading CISOs, that I hope you’ll consider implementing:
1. Link Information Security to Business Priorities
From an informal straw poll that I’ve been conducting, I’ve learned that 60 percent of CISOs can’t articulate their CEO’s top 3-5 business priorities. When you don’t know the business leaders’ priorities, making
InfoSec relevant is nearly impossible.
This is a common problem for our industry, so I was blown away when a CISO from an IT services firm recently articulated his CEO’s two primary business initiatives and then discussed how his InfoSec team is accelerating the company’s efforts
to achieve these goals.
The firm’s first goal is to make quick acquisitions, and the CISO explained how his InfoSec organization is cutting the time to integrate an acquired company by 20 percent by reducing and streamlining steps in the due diligence process. His team
is also supporting the second initiative, shortening the sales cycle, by becoming FedRAMP certified and re-working how they respond to compliance requests. He estimates that these efforts have shortened the sales cycle by 15 percent.
Aligning with the CEO’s business priorities forces InfoSec to work on initiatives that drive enterprise value. This, in turn, increases your clout with the Board.
As one of the savvier CISOs put it: “If I can show how I’m helping the CEO get his ‘A List’ done, how can they not invite me to big table?”
2. Understand the Financial Implications of your InfoSec Decisions
During our joint RSA Conference presentation in April, Doug Graham, CSO at Nuance Communications, told a story that highlighted the importance of aligning a security strategy with the business. As Doug tells it, he and his team were charged to create
a security improvement plan following a targeted cyberattack that led to a very serious breach. The plan was tight and well-formed. Every “t” was crossed and every “i” was dotted. It went into detail as to what the company
needed to do to better protect itself and was presented to the CFO for budget consideration.
The CFO appreciated the completeness of the plan but noted that funding it fully would shave two cents off of quarterly earnings. So here’s Doug’s advice: even if your solid security plan is perfectly in-line with the business, be sure to
check company financials to make sure your plan is considered against what is reasonably affordable.
3. Team Up with Your CFO to Understand the Value of Your IP Assets
Many CISOs use external standards such as NIST as the framework for their Board reporting. This might work for now, but we’ll need to do better. What savvy Board Members really want is a financial articulation of the risks being reduced
through the company’s InfoSec expenditures. They want an InfoSec ROI.
Most CISOs aren’t yet ready to have substantive ROI discussions with their Board – but this day is coming. So how do you get started down this path?
Begin by assigning values to your organization’s significant intellectual property (IP) assets and then getting agreement from your peers and your Board on these values. Building consensus on the values of these intangible assets will generate
more meaningful conversations about where to best deploy scarce InfoSec resources.
Using this approach, one IANS client estimated that the data in their Salesforce CRM was worth well over $1.2B. This platform had gotten little attention prior to this exercise, but it turned out to be one of the organization’s most valuable assets.
“Having agreed upon valuations [of IP] has changed our discussions,” remarked a CISO from a large financial services firm. “We actually shuttered some efforts once we realized how small the value was of the asset that we were
protecting.”
The hard part is getting started. Many of us in the InfoSec space are engineers by nature and training. We deal in precision, not estimates. But you have to begin somewhere, and making educated guesses is the essential first step. “Precision
is the enemy here,” noted one CISO. “If you can be even directionally correct, you will go a long way in changing the conversation.”
Here’s your ‘to do’: Partner with your CFO, be transparent with your valuation assumptions, and acknowledge that these are rough, educated guesses.
These 3 practices are just a few of the insightful lessons gleaned from my recent CISO-only working groups. I’ll be sharing more insights from these sessions in the coming months, but in the meantime, consider putting some of these tips to work.
The battle for clout – and an InfoSec budget – is not an easy one.
Additionally, we have a number of other CISO-only, closed-door sessions planned around the country this year. Take a look at the calendar and, if your schedule allows, please come join us at an upcoming CISO Roundtable.