Many CISOs I have worked with over the past 10 years have consistently complained that no one else in the executive suite understands them. They can’t get the right level of support. They face constant roadblocks. Basically, they’re perplexed that business people are actually more worried about business.
My response has always been that they weren’t Pragmatic enough. Of course they can read the book. Maybe they even adopt the concepts, and some will still run into the same difficulties. Basically, business folks won’t get it – until they have to.
And lately, given the high-profile breaches and the beginning of CEO witch hunts, senior executives can no longer avoid security. Not entirely, anyway. But some CISOs have broken through and become real executives. Folks who other executives consult when making decisions. A person, running a group that adds value to the organization. I know! That’s pretty cool.
How do you get there? Yes, you should be Pragmatic. But you can also take some tips from Qualys’ CSO, Andrew Wild. He gave a pretty good interview to the Enterprisers Project about how CISO can break through. Shockingly enough, it involves talking in business speak.
“The board level interest requires a risk-based approach, and infosec leaders must embrace this and move away from a security controls focused approach to information security. That’s not to say that security controls aren’t important, because they are, but, from the top down, the focus needs to be on risk management. A critical component of implementing a successful risk-based approach is building strong relationships with business units, approaching them in a consultative manner to offer assistance and guidance.” — Andrew Wild, CSO, Qualys
There are many other good tidbits in that interview. But remember that if you want to play in the C suite you had better understand your business and how security can make it better – whatever that means for you.
Photo credit: “CEO – Tiare – Board Meeting – Franklin Canyon” originally uploaded by tiarescott