“A cost center that doesn’t align with the rest of the organization. Is run by people who don’t understand the business objectives. The part of organization that fails to deliver return on investment. The department of no.”
If you’re a CISO or an information security leader, these are some of the phrases that you may have heard used to describe your department (or possibly you). Whether or not these depictions are accurate is debatable. But what’s not open to discussion is that the role of information security executives has evolved. CISOs may now find themselves talking to investors about how an attack impacted quarterly earnings in addition to more traditional duties like managing a SOC.
Learn from CIOs
Fortunately, CISOs aren’t the only leaders with a technology background who had to demonstrate their business acumen to peers. CIOs had to make this same transition. When these technology leaders began to appear in organizations about 15 years ago, they also had to align with the business objectives. CISOs now find themselves in the same role. They’re in the boardroom with peers who don't understand how security impacts them.
CIOs earned the trust and respect of other executives and the board by getting technology in tune with business operations. Technology was no longer done for the sake of technology. Instead, IT was used to aid the business. Now technology is viewed as essential to providing organizations with a critical advantage over their competitors and having CIOs report to the board is routine.
The same fate awaits information security departments and CISOs if they learn the language of business and use it to frame conversations around information security. The concept is simple: relate every information security project to business objectives and avoid technical jargon. Most likely, business executives don’t understand computer science or the finer aspects of securing a network. But they do understand and care about ensuring that they can fend off a DDoS attack and patching critical vulnerabilities that attackers could exploit and use to steal intellectual property.
Bridging the business, information security gap
Bridging the gap between security and business is probably one of a CISO’s greatest challenges. Increasingly, security executives are appearing in front of boards and c-suite executives, which indicates that the organization understands the importance of information security. The issue is that the board and executives don’t understand what the CISO does and how their position benefits the bottom line.
To connect with business-minded colleagues, CISOs need to learn and speak the language of business, which centers around these six themes:
- Risk
- Revenue
- Employee efficiency
- Strategic value
- Cost
- Customer satisfaction
Addressing risk and determining how to mitigate it is particularly important for CISOs when talking to other c-levels and the board. Risk mitigation is the link between a company’s security and business units. CEOs, COOs and CFOs want to reduce it while CISOs are the ones who can accomplish this task. CISOs need to be perceived as being relevant to the business and the voice of risk in the IT stack.
Don't forget your technical skills
Becoming business savvy doesn’t mean technical knowledge and maintaining relationships with the people who carry out IT security are less important. CISOs must master being involved in both of those realms. Security executives need cred with the analysts who attend Black Hat. But they also need to earn a seat in the boardroom by demonstrating that they’re the source of understanding risk from an IT infrastructure perspective.
Want a deeper dive into the language of business? Then check out CISO Tips: Speaking the language of business, our latest white paper. You’ll learn in detail how the concepts of risk, revenue, employee efficiency, strategic value, cost and customer satisfaction relate to information security.