According to a recent Gov.UK survey, 31% of businesses have been attacked at least once a week in the past 12 months. With cyber threats becoming the norm, CSOs now have a key role to play in communicating these to the wider business and providing a clear road map to ensure their organisation’s security at all levels. The result? The chief security officer is under increasing pressure to build their profile within the business and become even more influential at the C-level table.
But what are the key steps CSOs can take to navigate cybersecurity threats with clarity, understanding and perspective? Here are a few practical tips.
Be the enabler, not the blocker
Historically, security professionals have been viewed as a “blocker,” or someone who inhibits the ability to deliver a product. In other words, when risk is identified, security says “no” to the potential project or product release, claiming potential risk to the organisation is too great. The CSO needs to change this perspective by communicating that the overall mission is to enable business success by securing the organisation even if those security protocols can come into direct conflict with another department’s deliverables or projects from time to time.
The CSO can provide the right security-related guidance and background to help leaders make business decisions. This person should be willing to say: “We all know how important this product rollout is, but we’re going to need to pause the release of this piece of software. It poses too much risk to the organisation.” The CSO should communicate that success of the business and security go hand in hand. All employees should be invested in supporting, maintaining, and respecting security practices to ensure success.
Know your audience
At various points in my career, I worked with security leaders who were extremely technical with a very deep understanding of security vulnerabilities and the associated risks to the business. Unfortunately, these people didn’t have the ability to communicate these risks “upward” or explain them in simple terms. The CSO should be able to actively “translate” the technical specifics of security risks in a language that other C-suite leaders can act upon.
A standardised framework can help illustrate security vulnerabilities and how they could potentially impact the organisation. A risk register identifies a threat, outlines the probability it will affect the organisation, and presents overall potential impact. The CSO should maintain and share this risk register at the executive level — and at the board level. This person should also be able to prioritise identified risks and participate in discussions about the budget needed to resolve the high-priority issues in a timely manner.
The risk register should be broken down into specific sections that align with various business units and different stakeholders — infrastructure, web applications, internal systems, physical security, and so on. When you outline the direct consequences of a particular risk and which business units are affected, you open the dialogue with different stakeholders. You also convey how security touches every part of the business.
Maintain and communicate a positive outlook
Identifying, prioritising, and communicating threats are only part of a CSO’s role. How can a CSO mitigate and address risk in real time while helping the business achieve larger goals? Instead of rejecting all proposed projects due to risk, the CSO should work toward tangible, positive outcomes despite the risk that’s been identified. After identifying the threat, the CSO should find a clear road map past the risk while ensuring that potentially affected business units are secure.
This ability to see security issues through an additional “business” lens can help the CSO be viewed as a business enabler rather than a barrier to progress. Over time, the CSO will be better understood and appreciated by C-level peers as someone who does their job while also speaking “the language of the business.”
Our current environment of heightened risk, ever-increasing fraud, and constant alerts underscore that the days of security as a second-class citizen are over. CSOs are taking their rightful place at the executive table to help organisations navigate potential security threats with clarity, understanding, and perspective.