As a Chief Information Security Officer (CISO), your CEO might view you as a magical “shield,” a single person in charge of protecting the company from cybersecurity failures. In truth, no one can or should be tasked with singlehandedly safeguarding the company from cyber-crime, but the CISO will still be the one to “take the fall” if, or rather when, an attack occurs.
CISO turnover has become a pandemic of its own over the last few years. 24 percent of Fortune 500 CISOs leave their position after one year, according to a comprehensive study conducted by Cybersecurity Ventures, and the average term for all CISOs in the US is between one and a half to two years.
When things go wrong, it’s not only the CISO’s job on the line. Your CEO is the business leader of your organization, and their job security can be just as vulnerable as the CISO’s when hackers strike Unsurprisingly, the relationship between a company’s CISO and CEO can quickly become contentious. Here, we’ll dig into what we see as the top seven reasons why your CEO may be looking for a new CISO.
1. You were breached, and you could have prevented it
In today’s cybersecurity climate, we can’t realistically expect a CISO to prevent every data breach attempt, and it is perhaps unfair to place the blame entirely on the CISO when they do occur. However, we’ve seen many instances of high-profile attacks that could have easily been prevented.
We recently explored the failed Port of Houston attack, which was quickly contained due to measures already in place. The preparedness for and response to this attack is a perfect example of how cybersecurity can work, even with the growing prevalence of cyber-attacks.
The Port of Houston cybersecurity success story is, unfortunately, not one we hear the most often. For example, Cisco experienced a breach when a disgruntled former employee wrought havoc by deleting hundreds of virtual machines and deactivating thousands of WebexWebEx Teams accounts. Cisco could have easily thwarted this attack with a zero-trust permissions policy, which would have updated the former employee’s user permissions upon departure. In this example, the zero-trust permissions policy would have been just a minor part of a larger, comprehensive security strategy.
A CISO is more than just a figurehead. As the leader of your organization’s cybersecurity strategy, it’s your responsibility to ensure that strategy permeates every level of business, making your company resilient to attacks. It’s your responsibility to foster a culture of best practices.
2. You haven’t been speaking their language
Again, when things go wrong, it’s not only the CISOs job on the line, which is why it’s essential to have clear communication between a CEO and CISO. As the business leader, the CEO needs to have the trust of the Board, which requires a clear and continuous understanding of the organization’s risk posture. It’s not the CEO’s role to understand technical details around a security vulnerability – they need to understand what a successful exploitation of that vulnerability will cost the organization in dollars and cents.
Axio’s CEO, Scott Kannry, gives his perspective in detail here. In summary, the CISO needs to understand that a CEO’s main concerns are “growing the business and increasing shareholder value. As it relates to cybersecurity, [a CEO wants] a holistic picture, not a discussion of the latest technologies.”
In practice, this means taking a different approach from traffic light KPIs and arbitrary scores and indices in your weekly executive meetings. When a CISO depicts a risk area as a Yellow or Red on a status report, the CEO lacks the context to understand what those colors mean.
As a CISO, you will need to get buy-in from your CEO for projects and initiatives. Cultivating C-Suite support does not have to be a challenge if you can demonstrate the business value. For example, when you approach your CEO, don’t present absolutes or ultimatums. Give them more than one option and present a high-level summary of the different business tradeoffs that can be made in your proposal. Make clear what the actual business cost will be vs. actual risk reduction. Ultimately, the CISO and CEO share the same goal in preventing cyber-attacks.
3. No Visible ROI on Security Initiatives
Many CISOs struggle with demonstrating their security program’s ROI. Your CEO wants to know whether – and to what extent – the implementation of more security measures is accelerating business productivity and ultimately the company’s bottom line. Cybersecurity is more than just defense – a successful program will also help drive the business forward.
When you get buy-in from your CEO and Board on a particular security initiative, you must be prepared to track and demonstrate ROI. CEOs and business leaders want to know if you’re making progress and doing due diligence. CISOs are constantly asking for more money every quarter, but what are they spending it on? How can they show value to the CEO?
For example, at an enterprise level, your business probably spends a significant portion of your budget on dozens of cybersecurity technology solutions, each of which has an added cost of resources needed to implement and maintain these solutions. The average company uses more than 50 security vendors, with 62% reporting they want more. How can you ensure you’re getting the most out of these tools and focusing your energy in the right direction?
A critical part of a CISOs job is to prove positive ROI on investments. As with learning to “speak” your CEO’s language, the key is showing how your security initiative adds business value to the company. Impact Business Technology, partnered with Axio, offers a platform that can help show “with certainty how new [cybersecurity] initiatives for IT security will reduce or eliminate risk and demonstrate a clear ROI.”
Initiatives that directly support financial gain, such as building a new software product that generates revenue for the company, are easily measured. The challenge a CISO faces is that the budget needed to execute a sound cybersecurity strategy is not measured as easily as software sales. This is where the Axio360 platform and Impact Business Technology can “build a comprehensive picture of the costs of a security incident covering all facets of the business,” said Brittany A. Bohacz, Director, Alliances for Axio.
4. You Are Using Traffic Light KPI’s in Your Weekly Executive Status Updates
When presenting to the CEO or Board, a CISO must be clear in their vision statement. KPI (Key Performance Indicator) and Board reporting can quickly devolve into a hugely abstracted (and boring) presentation.
In preparation for these weekly KPI reports, you can expect to get a lot of data from your various teams, and it’s your task to turn this plethora of information, all from different sources, into a cohesive story. Reporting this information upwards is tricky because you’re receiving so much data from all over your security environment, and you will inevitably lose details as the data moves up each level of seniority.
The biggest challenge, then, is showing your teams’ progress. For example, maybe last month you moved a project from Red to Yellow, which is good, right? But then you could potentially spend months, or even years, in Yellow because the time commitment needed for the underlying projects is extensive. Progress is being made on the project, but its long-term status in Yellow can obscure the actual progress being made.
How can you show value when your KPIs feign that nothing is happening? A detailed executive dashboard. You can show a much greater level of detail, and progress, in the same amount of time it takes to present traffic light KPIs. Axio can generate a more detailed dashboard that a CISO can use to demonstrate actual progress. Instead of reporting one abstract number, you can use this dashboard to break down risk assessment areas using graphs. This approach keeps your details accessible to the CEO and Board members and highlights your teams’ progress objectively.
5. You are constantly asking for more money
More spending does not necessarily guarantee better security. Naturally, your CEO wants to look good before the Board, which won’t be possible if they don’t understand where your money is going or why you continually need more. They may also be skeptical, and rightly so. “Data breach fatigue” can affect management at every business level, with the most dangerous being the CISO. The sheer volume of cybersecurity information means that CISOs need to discern what is essential information to their business and what is principally “noise.” If you can do that, you’ll be better equipped to justify the amount of spending you need.
Your CEO needs to be confident that the money you get will be used strategically. As a CISO, your job is not to resolve every potential vulnerability but to uncover cybersecurity risks and have a mitigation strategy in place that meets an “acceptable level” of risk. As with your weekly KPI reports, you can use Axio’s detailed dashboards to model different cost scenarios clearly and efficiently. Empower your CEO and company to trust that you are building and implementing a cybersecurity strategy that fits your business at scale, which ties in directly with reason number 6.
6. It takes you forever to answer:“What would it cost ifan attack happened to us?”
IBM’s Cost of a Data Breach Report 2021 found the global average total cost of a data breach was $4.24M. The average cost of a healthcare data breach is nearly double at $9.2M. In recent breaches, we saw Colonial Pipeline pay out $5M in ransom, and Solarwinds lost an estimated $18M in the first three months alone, following their attack. Looking at these stats and reports of high-profile attacks, of course, the big question on your CEO’s mind is going to be, “what would it cost if it happened to us?” As CISO, it’s your job to get them the most accurate estimates possible.
To optimize your cybersecurity program, a risk-based approach to cybersecurity goes above and beyond the traditional compliance-based approach. How do you model the different cost scenarios that could affect your business? Calculating risk is speculative by nature, and cybersecurity is not a “one size fits all” concept. The Axio360 platform can help you build different scenarios tailored to your unique business and industry needs. Your CEO is interested in seeing “what the top risk is in financial and operational terms,” and the Axio platform allows you to “prioritize cyber risk based on financial impact.”
7. Security is blocking business productivity
“Culture eats strategy for breakfast.” As CISO, you are tasked with driving the culture of security throughout your business. Your CEO’s main concern here is whether that strategy will unnecessarily impede business, so it’s up to you to work proactively and develop relationships with the diverse groups of business managers (not just the IT department) across the company.
Ulta Beauty CISO, Diane Brown, points out that cybersecurity professionals are all too familiar using the word “no,” but in today’s risk climate, “changing your team’s mindset is critical to becoming a business enabler, instead of a business blocker.” In addition to technology solutions, successful cybersecurity strategies account for people and processes as well.
The NIST Cybersecurity Framework can help you arrive at the best cybersecurity strategy that fits into your business environment. From the NIST website: “…cybersecurity awareness and training efforts should be to create a culture of security…employees should view good cybersecurity practices as good business and as part of ‘how we do business here.’ Employees should feel enabled to make good cybersecurity decisions and understand what makes a good decision.” Your approach to cybersecurity should adjust to the structure of your organization’s culture, not the other way around.
Your CEO is the business leader of your organization, and they need contextual awareness to trust you are making effective decisions at a strategic and tactical level. It’s no secret that being a CISO is a high-stress job, and there is no special formula to guarantee success. Data breaches are inevitable in today’s world, and the solution depends on your cybersecurity preparedness and ability to communicate effectively. If any of these challenges sound familiar to you, Axio360 can help you demonstrate where your money is going and why you need it, ultimately building a better relationship between you and your CEO.
Curious as to how you can communicate more effectively to your Board and CEO to help ensure your job security? Register for our November 4th webinar with former BP CEO Bob Dudley on what you should be doing to manage cyber risk.