During the recent RSA Conference Abu Dhabi, Mark Butler, CISO at Qualys, presented a keynote talk on “Digital Transformation and the New Role CISOs Need to Play.” Drawing on his experience as the former CISO of a global financial services technology provider, Butler spoke about the reasons cybersecurity practitioners continue to play an ancillary role on the executive team as compared to other C-level executives.
For several years now security practitioners have been congratulating themselves at “finally earning a seat at the table.” What they are most likely referring to is the emergence of the CISO role, itself, and the fact that cybersecurity has become a board-level topic. The reality, though, is that the head of security doesn’t occupy the same influential space as other employees with similar titles. Heads of finance, sales, products, R&D, and legal routinely affect more sway on the direction of the company and with boards of directors than do security leaders. While the security of the company’s systems and data is a question on the tips of everyone’s tongues, we’ve yet to see organizations significantly alter growth or operating strategies based on cyber security concerns (in fact, we’ve seen companies specifically ignore security issues because attending to the issues would slow down operations). The reasons are myriad—and we might never see security impact an organization’s plans in a major way, as security, at its heart, is just another risk component—but Butler thinks a contributory factor is how CISOs, and security teams more generally, position themselves to the rest of the company. And this all begins with language.
“The language of the CISO is not the same as the language of the board of directors, business leaders, or even technologists on the CISO’s team,” Butler said during his presentation. And though security practitioners have been discussing this conundrum for years at industry conferences and networking events, it seems the vast majority of practitioners—including CISOs—continue to talk about cyber threats, threat actor behaviors, and techniques (if the board is fortunate. If they’re not, the board gets to hear about malware remediated, rates of blocked spam, or the bandwidth consumption of a DDoS attack, none of which answers business leadership questions). Running a security program, though, cannot be at the expense of the business, said Butler. Security can’t be, “Either we focus on running a traditional security program driven by audits, or we’re an agile company that grows into new markets, new products and services, and leverages technology to innovate.” In today’s fast-paced business environment, it’s not either/or. Executives and boards of directors demand speed, agility, and visibility into risks and opportunities in order to grow business and gain market share. They want answers to questions such as: When will new products and services be available? When will I realize revenue? How do I better serve partners and clients? These are the questions Butler had to frequently answer in an end user role, and he quickly learned that talking tech or insinuating the company would have to take two steps back to accommodate cybersecurity wouldn’t earn trust among colleagues.
“CISOs are essentially untrusted or semi-trusted,” he explained, even today, with all the attention breaches and ransomware bring. The key, said Butler, is aligning with chief business strategies and specific goals the business is driving hard to obtain. On the surface, this advice sounds ridiculously obvious. However, during his time as an end user CISO and now as the CISO of a security vendor organization where he regularly speaks to security executives, Butler says CISOs are not focused on business value creation. Instead, he repeatedly hears that security organizations are fixated on infosec programs or, more recently, cyber risk management. While cyber risk management is a better direction than focusing on security for security’s sake, it’s not enough.
Creating business value
To achieve the goal of cyber risk management and business value creation together, Butler says CISOs need to shift mindset, language, and relationships. In terms of mindset, security teams must consider how security facilitates innovation and new products, meeting financial goals, and agility. In terms of language, CISOs must move away from talking about attacks, threats, and potential vulnerabilities using fear, uncertainty, and doubt to try to gain interest, commitment, and budget. In terms of relationships, security must become a trusted partner, which can only be accomplished if security understands—by meeting and speaking with business leaders—company-wide goals and interests, workflows, and patterns of behavior; security’s KPIs (key performance indicators) are not unique and distinct from business KPIs.
Security must integrate its capabilities into existing processes to help employees/partners/clients meet objectives while staying secure. It can’t be either/or. It can’t be, “humans will always be vulnerable.” The CISO’s mindset and actions have to transform to keep pace with needs and goals of the business. Only then will CISOs be true, trusted partners who help drive business forward. At present, the infosec mindset, and accompanying language which focuses only on running information security programs, is one that is antithetical to growth and innovation. Butler rejects this claim that running a cyber program is enough and says that CISOs should change their mindset to holistically run the core security program elements, eliminate non-beneficial activity, and move resources to integrate with and help meet critical business objectives. When this shift occurs, so too will the ability of security to contribute to the business in a way that’s above and beyond “keeping us minimally safe” in the eyes of the rest of the executive team.
Mark will co-lead the Cloud Security Summit on March 22, 2018 at InfoSec World in Orlando, FL. Attend this event to learn more about how to transform your security organization.