Many companies grapple with integrating cybersecurity awareness into the organizational culture. After many years as a CISO and cybersecurity consultant, I believe the answer to this perennial problem is to encourage the organization to “own” security. The first step towards this goal is to establish a cybersecurity council composed of representatives from various business units.
Some organizations already have such a council in place, though perhaps not realized as fully as it can be. There are certifications that require the existence of an information security steering committee, but such a committee can be so much more than a mere compliance checkbox. Such a committee should be created to steer the organization’s cybersecurity strategy.
The council should represent every nook and cranny of the business – preferably at the VP level, where the relationship between a given function and the greater organizational goals is to be expected. A representative from Sales or Marketing or HR, for example, would understand the unique business needs, tools and processes of their respective departments. Introducing leaders from these departments to information security can be an eye opener for all of them and will yield more meaningful feedback to your security plans. Having these leaders in your committee will raise your awareness of the business as well.
Despite her expertise on the subject, the CISO should not be the only one deciding what the company’s security priorities should be. Nor should it be the CEO, and for many of the same reasons: no one person should own that much decision-making power over business risk, and collaboration should be the heart of the security program anyway. Each member of the council brings some critical business and risk awareness of their own to the collective attention of the group. Council members should jointly determine the company’s security priorities, weighing Sales against Marketing and Marketing against HR from a broader context.
Having served as chairman of a few such security councils at organizations where I also led the cybersecurity teams, I facilitated exchanges among the council members, encouraged a better awareness of the entire business for all members, ensured that healthy communication was in place, taught all parties to think in terms of business-impacting risk, and helped steer discussions from “what is happening” to “what can be done”.
Leading the information security council has also helped me establish and nurture good relationships with the people “upstairs” – both the executive leadership of the company and the board of directors. With key leadership roles from the entire organization actively involved in the committee, dialogues with the company leadership and the board tend to take place on a more frequent basis than without such a committee. Seeing their most valued players actively engaged in security tends to encourage the business leadership to seek more understanding of security.
Leading my Own Team
In my own sphere with my cybersecurity team, I try to provide strategic vision, guidance and a greater business perspective to individual members.
When you lead a strong enough security team as I have been lucky enough to lead over the years, the team wants to set an aggressive pace in addressing all the security concerns before them. That’s their job – to focus on security issues wherever and however they appear. My role as a cybersecurity leader is to translate business needs and priorities into a disciplined security approach, teaching the members of my team to contextualize security concerns not in the vacuum of security standards, but in the context of business. There are things that must be addressed with urgency, not because of security requirements per se, but because of business need. One issue might represent a glaringly obvious security deficiency, but another issue that engenders less overall security concern might take priority because of specific business need.
I also work with my individual team members, so that they understand how their role fits the bigger set of goals. Where exactly do they fall in the grand scheme? This is important when they find themselves at a decision point.
All this is done in an open, collegial manner. I encourage them to come to me anytime and have open conversations. It’s not a matter of me laying out something and them blindly following it. On the contrary, I want them to question and challenge me. Again, collaboration is key.
The council should establish a three-year to five-year strategic security plan. It is important to ensure that the council proceeds with the same sense of business awareness that is instilled in the cybersecurity teams, but with an eye towards the greater strategic business goals and plans. A security plan that is not aligned with the greater business plan will not only fail but is a recipe for chaos and confusion.
There is an old joke that being a CISO means having two sales jobs: first you sell the security problem, and then you sell the security solution. Fortunately, in today’s climate of identity theft and mega breaches, the salesmanship task is a bit easier in most environments. I find myself selling the problem less and less, because more folks are realizing just how important and far-reaching security is.
There is, however, a new risk that comes with this. Organizations may think that once they have a CISO, then security problems magically vanish. But if the CISO works in a vacuum, and is not connected with the business, no meaningful strategic work can be accomplished. Security is not an end-state but a process. When the business sits down at the security table, that process becomes integral to the business, and the results show it.