While the cost and frequency of cybersecurity incidents are on the rise, there is still some debate about the CISO’s role in this whole conundrum. Fewer than half of companies employ a full-time CISO. Of those companies, even fewer have the CISO reporting directly to the CEO or board of directors, putting the position one notch lower than fellow C-levels executives.
To be certain, the “CISO” title is newer than that of “CFO” or “CIO,” but that doesn’t mean the CISO shouldn’t have the same level of influence within the organization, especially considering the threat cyber incidents pose to companies’ productivity and agility. However, only some CISOs have achieved the same level of organizational influence and respect as similarly-titled peers, says Tom Eston, Manager of Penetration Testing at Veracode.
Company culture is the top determining factor of whether or not the senior security executive is considered a heavyweight, says Eston. Second to culture—and likely an influence on culture—is the relationships the CISO has (or has not) built within the organization. “The number one thing I’ve seen [security leaders] do wrong,” says Eston, “is not having the ability to foster good relationships—in terms of having the right discussions and caring about peers and what their jobs are.” This lack of caring—perceived or real—impacts how other business leaders view the CISO and the whole security organization. Building the right relationships and achieving influence can positively transform a security team; it’s just up to the players to take the reins and do it.
In this short video, Eston explains the difference between a leader and someone who holds a top security title, shares why it’s important for security practitioners to become leaders, and provides clear steps on how anyone can become a leader through self-reflection and a bit of hard work.
Tom will be speaking on security and privacy at InfoSec World 2018 in March. Attend MISTI's flagship event to hear his talk and more!