The following is a guest post from Phillip Lee, cybersecurity advisor at Reisender. Opinions are the author’s own.
Security leaders are clamoring for a seat at the table to help their organizations better face strategic threats and stay ahead of emerging regulatory oversight requiring board expertise and reporting on security, and rightfully so.
That said, bringing a new role into the executive team is a significant undertaking, and the business needs, the role, and the individual in that role should be considered. These guidelines should help CFOs and your board determine if your chief information security officer is ready for a seat at the executive and boardroom tables. It will also help you support your security leader in those areas where they may need to grow.
I have seen security leaders fail by getting too technical or philosophical when talking to executives. I have also seen security professionals or leaders without a C-Suite title excel in those conversations. Consider the elements below to help you evaluate if your CISO displays sufficient proficiency when deciding when and how you bring security leaders to the table — something you certainly should do.
Make sure your CISO has:
Executive presence. This one is the most obvious one and the most readily noticed by other board members, so while I will not belabor this, it is a factor that must be considered in the context of the rest of this article. The CISO’s leadership development track is different than classic C-Suite members. So, you should focus on giving development opportunities to up-and-coming security leaders in your organization so they can develop executive presence.
One of the key indicators that your security leader already has, or can develop, the appropriate level of executive presence is to consider their relationships outside of the security and information technology spheres within your organization. A CISO focused on relationships and understanding business operations outside of their area of influence will likely contribute to the greater business objectives.
The right level of technical skills. The right level of technical security skills for CISOs is one of the most fiercely debated areas within the cybersecurity community. Realistically, the extent of the CISO’s technical proficiency should be commensurate with the needs of the role, and that can vary widely depending on whether your company is a technology firm or in a non-technical sector.
What you should care about regarding technical skills is whether or not your CISO can translate technical risks, vulnerabilities, and needs into the appropriate context for non-security leaders. This tends to be an area where leaders from a technical background often struggle to succeed, but the ability to translate these topics to executives can be taught.
The right level of GRC skills. Governance, risk management and compliance are often key areas of focus for CISOs, even when shared with other functions such as legal, compliance and operations. Your security leadership should be able to connect security risk and compliance needs to your business risks and value drivers.
Your CISO should be able to develop an alignment between security GRC activities and business risk management activities like enterprise risk management. A leader who resists this alignment is unlikely to build the right relationships and connections at the executive table since security programs work best when integrated with other operational flows.
Reporting capabilities. The ability to present information with the appropriate level of detail, format, and delivery is essential for CISOs to contribute effectively to executive sessions. A security leader who takes this seriously will take the time to meet with other leaders in the organization to align on materials ahead of presenting them to senior leadership. Watching how your CISO responds to reviews and feedback in meetings will help gauge their demeanor when they must discuss difficult decisions with senior leadership.
Evaluating your CISO should involve multiple executives, including those from operations and Legal, so that they can provide valuable feedback on the security leader’s performance. A CISO prepared for a leadership role will have reporting cadences across the business to enhance security alignment with other departments.
Financial/budgeting acumen. Many CISOs and security leaders learned to build budgets and request funds in an ad-hoc manner. This does not mean that they don’t have the required skills; however, it may mean that they need coaching to align their approach to the finance department’s methodology. A security leader who can align cybersecurity needs and risks to the correct financial standard will be more effective in board and budget discussions.
Look for leaders who quantify risks financially where possible, adjust budgets to the organization’s financial position, and present budgetary information related to metrics or risks.
Bridge builders. Evident in many of the topics above is building bridges. This is a critical skill for a CISO at the executive and board levels. There are security leaders who achieve their goals through fearmongering and the threat of malicious actors. As a result, they are often unable to develop trust and credibility in front of executives.
Look for CISOs that regularly meet with you, your peers and the core business functions, who then incorporate those perspectives into the security program. A recent example of this was likely how your CISO approached the use of artificial intelligence within your organization; was it collaborative and sought business input or an inflexible and uncooperative posture?
The importance of the right team
Deciding how and when to give your CISO a seat at the table is more than just an evaluation of the individual in their role; it is also an evaluation of the team they built. A security leader who is ready to report to the board and act as a part of the organizational leadership has a team that can support them in that position.
Look for a multi-faceted security team with team members who display some of the attributes you expect from your CISO. Look for a CISO who coaches their team and gives them opportunities to hone the skills needed to support the organization.
A great CISO will spend time developing their teams and using them as an amplifying element when it comes to executive and board-level reporting. A leader who brings up-and-coming leaders from their team to present on relevant topics or to augment their knowledge is a good sign that your security leader will be valuable at the table.
Some of these factors may seem straightforward and/or simplistic and yet should be carefully considered as your leadership team decides the role cybersecurity will play in your corporate structure. Consider the metrics and standards you hold your other executives to when it comes to having a seat at the table and incorporate those factors into how you evaluate your CISO.
The skills mentioned here can be developed internally or acquired through external recruitment, and your cybersecurity leader does not need to possess them all. However, to bring your top security leader into the executive fold, all of these skills should be present in that individual’s team.
