Three leading global chief information security officers (CISOs) with a wide range of experience across different industries warned that if CISOs do not improve their ability to communicate cyber risk to business executives and boards of directors the position of CISO itself could disappear in the next 10 years.
“The successful CISO is the [one] who can translate between technology and business,” said Mark Brown, Global Managing Director, Cybersecurity and Information Resilience at the British Standards Institution (BSI), speaking May 5 at ThreatConnect’s CISO Challenge Series Webinar. “And for me, we have to be very careful because the profession, as we know it, could die in the next 10 years unless we fix this,” he said.
“Have you read your company’s annual report? Do you know what your company’s strategy, not just today, tomorrow, but three, five-year strategy is and what the role or the importance of digital and trust around security?” asked Brown. “If you can’t answer that, you’re not a CISO.”
Jeff Horne, the Chief Security Officer at Ordr, and former Senior Director of Information Security for SpaceX agreed with Brown’s assessment of the possible future of the CISO position.
“That art of communication I think is lost on a lot of CISOs,” Horne said. “Either they know how to do it and they do it regularly and they’ve lost some of the technical stuff or they’re way [too deep] in the technical weeds and it’s very difficult for them to shift out of sixth gear…and start communicating at a board level.”
Metrics That Matter
Board members bear the responsibility to govern all areas of a corporation. Delivering a siloed, technical view of cyber misses the mark for the business-centric board. In fact, it risks creating distraction and confusion. Because the board communicates and operates at a high, strategic level, CISOs must tailor and prioritize their messaging to this level. The board doesn’t need to know about every blinking light on the security dashboard. Rather, CISOs must use the business context to prioritize the handful of risks that are most urgent to the business.
BSI’s Mark Brown, who also served as the Global CISO at SABMiller plc, said he keeps his board reporting simple and tied directly to the company’s stated business objectives and what the board is most concerned about.
“In the days of SABMiller, we always talked about production volume rates per hour. One hour of downtime was $10 million of lost revenue,” Brown said. “It’s a very simple metric when you look at it like that. One hour equals $10 million. One day, a quarter of a billion dollars,” he said.
“That’s, for me, the key metric that every CISO should know,” Brown said. “And especially any CISO with an operational environment. It’s really simple to calculate. Find out what your annual revenue is, and then divide that number by 365, then divide it by 24. That is one hour of downtime for your business. If you don’t know what that number is, then you’re not going to be able to have a translatable conversation with your board about what an appropriate investment is for your organization in cybersecurity.”
“Finances always have traction,” said Christopher Gates, Director of Product Security at medical device maker Velentium. “Especially in my arena, which is medical devices, you’re looking at recalls, which are incredibly expensive. You’re looking at the loss of customer reputation, bad PR, potential loss of lots of money and finances as people move away from your product to go to a competitor. So you can express all of these in terms of dollars,” he said. “That kind of an explanation really gets their attention because they see the money that’s been spent, they see the money that it will take to fix this issue and mitigate it.”
Accurately quantifying risk, however, remains a critical tool in the CISO’s ability to effectively communicate and gain support from the business, said Horne. “If they cannot communicate from a business perspective and they’re coming in on a business that makes $20 million in revenue a year, and they’re asking for $13 million in firewalls because they’re trying to solve some crazy issue, that’s not going to work,” Horne said.
CISO as Business Leader
BSI’s Brown, who first raised the question about the tenuous future of the CISO position, emphasized the importance of demonstrating yourself as a business leader, not just as a CXO without the CXO capability.
“As a community, as a profession, many of us have a CXO title without a CXO capability,” Brown said. “If we can become that business leader with a functional specialism around information risk management, about enabling the business, not inhibiting the business, then I think there’s a real opportunity for the profession to really take that advanced step forward.”