How the CISO Can Build Support from Senior Management
Strategy, Governance & Risk Consultant | Cyber Threat Intelligence Specialist | Privacy ISO27701 LI |ISO 27001 LI | COBIT 2019
Published:
Edited by: David Draper
Browse All Articles > How the CISO Can Build Support from Senior Management
Importance of appropriate Senior Management support for Cybersecurity and what is required to elicit the desired support.
Article initially published by ISACA at below ink:
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/how-the-ciso-can-build-support-from-senior-management
Article initially published by ISACA at below ink:
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/how-the-ciso-can-build-support-from-senior-management
Trust is the cornerstone of any relationship. It is built and nurtured progressively based on many factors. When we as a customer decide to choose product or service โAโ over โB,โ it is based primarily on the perception of our trust that we place in that product or service provider. This trust, whether in its infancy or more developed, can grow or completely shatter due to unmet expectations.
Information security Leadership plays a critical role in the establishment and maintenance of trust through the confidentiality, integrity and availability of the information systems and the data contained within. The executive leadership of any organization is responsible for keeping that trust at optimum levels.
Information security and privacy are newly pronounced points of emphasis for some organizations. To fully attain the objectives of security strategy, the support from senior executive management outside security divisions is extremely important.
However, the question remains: What kind of support is required by chief information security officers and how can they elicit that support?
๐ช๐ต๐ฎ๐ ๐น๐ฒ๐๐ฒ๐น๐ ๐ผ๐ณ ๐๐ฒ๐ป๐ถ๐ผ๐ฟ ๐ฒ๐ ๐ฒ๐ฐ๐๐๐ถ๐๐ฒ ๐บ๐ฎ๐ป๐ฎ๐ด๐ฒ๐บ๐ฒ๐ป๐ ๐๐๐ฝ๐ฝ๐ผ๐ฟ๐ ๐ฎ๐ฟ๐ฒ ๐ฟ๐ฒ๐ฎ๐น๐น๐ ๐ป๐ฒ๐ฒ๐ฑ๐ฒ๐ฑ?
The word support has unfortunately been reduced to a clichรฉ. The Chief Information Security Officers are often too happy with the assurances provided by their respective heads (CEOs, CROs, etc.) to have the โbest securityโ in place to secure the business.
Fundamentally, the notion of having the "best security" is not appropriate by any means. The term โbest securityโ is subjective in nature and in having the โbest securityโ in place, the security may begin to strangulate the business. This negatively affects the velocity of business operations. Thatโs when friction begins to creep in, leaving aside the initial assurances related to security.
What follows is a fundamental question about how much security is enough. The answer lies in the phrase โjust enough securityโ fit for the business, so that security does not end up harming the business. This requires you to carefully craft a security strategy with inputs from relevant stakeholders outside the security division.
Once the security strategy is developed and approved, then the question of support comes into play. The support that CISOs need from this stage onward is the unwavering support that stems from having clarity about strategic security objectives and the determination to pursue to those objectives.
The execution of information security strategy often spans three years. It is natural to have various roadblocks during this time which can drain the energy levels of stakeholders and the teams executing the strategic information security initiatives.
It is during these moments, that the determination of the executive management is tested.
These are moments when clarity of vision, mission and strategic objectives around information security play a pivotal role in sustaining the energy and momentum necessary to execute the strategy.
This unwavering support for the information security program is the kind of the support that CISOs should be looking for from the executives they report to. This is how they are able deliver the expected information security services to the business and help the business establish and maintain the trust promised to their customers.
๐๐น๐ถ๐ฐ๐ถ๐๐ถ๐ป๐ด ๐๐ต๐ฒ ๐ฑ๐ฒ๐๐ถ๐ฟ๐ฒ๐ฑ ๐๐๐ฝ๐ฝ๐ผ๐ฟ๐
We explored above what it means to have appropriate support from senior executive management that goes beyond words and a surface-level understanding of security objectives. However, considerable effort needs to be put into place to elicit this desired support.
It is imperative to understand that in any given organizational environment, there are often multiple silent battles going on between organizational divisions. These battles are not necessarily based on malice but on how strategic business objectives should be pursued.
In the battle of narratives, it is often that the wrong story and premise wins the battle. This is because the correct narratives are not appropriately presented and substantiated with facts, providing primary, secondary and tertiary level details to supplement the premise.
It is important therefore, to understand that narratives around information security must be well crafted and supported by facts and empirical analysis, presenting security as an enabler of the business rather than a force that creates obstacles in business pathways.
When security acts as an enabler in the attainment of strategic objectives, it begins to demonstrate and inspire trust, reliability and accountability through its governance and risk management. This allows security to earn credibility, a good reputation and trust among the senior executive management, and give due value to concerns raised by security.
The challenge of insufficient budget allocation for security is a common one. These concerns expressed by security leaders are often valid โ however, this sometimes stems from other issues like the reputation around security teams, the level of trust with executive leadership and how well security enabled the business in previous ventures.
CISOs may get the desired security budget, but if they do not understand or set clear expectations on how security will enable the business, then they cause immense damage to the entire security division and its narrative. Therefore, allocation of budget has to be dealt with strategically; by progressively building the reputation of the security team. We as CISOs can ask for our desired budget consistent with realistic approaches, best practices and the needs of the business.
Remember that trust is earned over a period of time through consistent efforts and taking the right approach. The pain that needs to be endured during this journey to develop trust in security is needed to work toward a more ideal state for the CISO and the security team.
It is imperative for the Cybersecurity Leadership to understand these challenges and utilize their resources in an efficient manner to earn the trust in the eyes of Executive Management which will further enable the security leadership to attain their objectives.
Information security Leadership plays a critical role in the establishment and maintenance of trust through the confidentiality, integrity and availability of the information systems and the data contained within. The executive leadership of any organization is responsible for keeping that trust at optimum levels.
Information security and privacy are newly pronounced points of emphasis for some organizations. To fully attain the objectives of security strategy, the support from senior executive management outside security divisions is extremely important.
However, the question remains: What kind of support is required by chief information security officers and how can they elicit that support?
๐ช๐ต๐ฎ๐ ๐น๐ฒ๐๐ฒ๐น๐ ๐ผ๐ณ ๐๐ฒ๐ป๐ถ๐ผ๐ฟ ๐ฒ๐ ๐ฒ๐ฐ๐๐๐ถ๐๐ฒ ๐บ๐ฎ๐ป๐ฎ๐ด๐ฒ๐บ๐ฒ๐ป๐ ๐๐๐ฝ๐ฝ๐ผ๐ฟ๐ ๐ฎ๐ฟ๐ฒ ๐ฟ๐ฒ๐ฎ๐น๐น๐ ๐ป๐ฒ๐ฒ๐ฑ๐ฒ๐ฑ?
The word support has unfortunately been reduced to a clichรฉ. The Chief Information Security Officers are often too happy with the assurances provided by their respective heads (CEOs, CROs, etc.) to have the โbest securityโ in place to secure the business.
Fundamentally, the notion of having the "best security" is not appropriate by any means. The term โbest securityโ is subjective in nature and in having the โbest securityโ in place, the security may begin to strangulate the business. This negatively affects the velocity of business operations. Thatโs when friction begins to creep in, leaving aside the initial assurances related to security.
What follows is a fundamental question about how much security is enough. The answer lies in the phrase โjust enough securityโ fit for the business, so that security does not end up harming the business. This requires you to carefully craft a security strategy with inputs from relevant stakeholders outside the security division.
Once the security strategy is developed and approved, then the question of support comes into play. The support that CISOs need from this stage onward is the unwavering support that stems from having clarity about strategic security objectives and the determination to pursue to those objectives.
The execution of information security strategy often spans three years. It is natural to have various roadblocks during this time which can drain the energy levels of stakeholders and the teams executing the strategic information security initiatives.
It is during these moments, that the determination of the executive management is tested.
These are moments when clarity of vision, mission and strategic objectives around information security play a pivotal role in sustaining the energy and momentum necessary to execute the strategy.
This unwavering support for the information security program is the kind of the support that CISOs should be looking for from the executives they report to. This is how they are able deliver the expected information security services to the business and help the business establish and maintain the trust promised to their customers.
๐๐น๐ถ๐ฐ๐ถ๐๐ถ๐ป๐ด ๐๐ต๐ฒ ๐ฑ๐ฒ๐๐ถ๐ฟ๐ฒ๐ฑ ๐๐๐ฝ๐ฝ๐ผ๐ฟ๐
We explored above what it means to have appropriate support from senior executive management that goes beyond words and a surface-level understanding of security objectives. However, considerable effort needs to be put into place to elicit this desired support.
It is imperative to understand that in any given organizational environment, there are often multiple silent battles going on between organizational divisions. These battles are not necessarily based on malice but on how strategic business objectives should be pursued.
In the battle of narratives, it is often that the wrong story and premise wins the battle. This is because the correct narratives are not appropriately presented and substantiated with facts, providing primary, secondary and tertiary level details to supplement the premise.
It is important therefore, to understand that narratives around information security must be well crafted and supported by facts and empirical analysis, presenting security as an enabler of the business rather than a force that creates obstacles in business pathways.
When security acts as an enabler in the attainment of strategic objectives, it begins to demonstrate and inspire trust, reliability and accountability through its governance and risk management. This allows security to earn credibility, a good reputation and trust among the senior executive management, and give due value to concerns raised by security.
The challenge of insufficient budget allocation for security is a common one. These concerns expressed by security leaders are often valid โ however, this sometimes stems from other issues like the reputation around security teams, the level of trust with executive leadership and how well security enabled the business in previous ventures.
CISOs may get the desired security budget, but if they do not understand or set clear expectations on how security will enable the business, then they cause immense damage to the entire security division and its narrative. Therefore, allocation of budget has to be dealt with strategically; by progressively building the reputation of the security team. We as CISOs can ask for our desired budget consistent with realistic approaches, best practices and the needs of the business.
Remember that trust is earned over a period of time through consistent efforts and taking the right approach. The pain that needs to be endured during this journey to develop trust in security is needed to work toward a more ideal state for the CISO and the security team.
It is imperative for the Cybersecurity Leadership to understand these challenges and utilize their resources in an efficient manner to earn the trust in the eyes of Executive Management which will further enable the security leadership to attain their objectives.
Strategy, Governance & Risk Consultant | Cyber Threat Intelligence Specialist | Privacy ISO27701 LI |ISO 27001 LI | COBIT 2019
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)