By Tara Savage, Security Marketing Manager, BT
Latest results just in — only 25 per cent of Chief Information Security Officers (CISOs) can be classed as having a strategic influence over their board.
A surprising (and disappointing) result, considering the strides security has made in recent times as a whole-company enabler and strategic tool.
Getting CISOs board-influencer status is critical to the organisation’s success; the IBM study considers organisations to be more advanced if the CISO is an Influencer, perhaps because it ensures security is woven into the very beginning of all strategic conversations. Sixty per cent of organisations with an Influencer CISO cite security as a regular board topic and 71 per cent of companies with Influencer CISOs have a dedicated security budget line item.
Relax, you may say — we have the Chief Information Officer (CIO) at the board table; they’ll take care of security.
Well it appears not.
Gartner’s 2011 CIO Agenda research shows that security is of low importance to CIOs — compared to the top concerns of increasing enterprise growth, attracting and retaining new customers, and reducing enterprise costs. In fact, improving business continuity, risk and security ranked only tenth in 2011 and is predicted to slide to twenty-third in 2014.
This may be due to a growing expectation amongst CIOs that security is now a given and is built in to the fabric of every board-level strategy. CIOs know that if any strategy hasn’t included the security angle it will fail, but that assumption isn’t automatically following through.
Whatever the reason, responsibility for talking security strategy in the board room in 2012 lies firmly with the CISO.
Jill Knesek, Head of Global Security — Professional Services with BT Global Services has looked into how CISOs can gain influence at board level. She finds that it’s not all bad news: we’re now in an environment where security risks are acknowledged as real threats to the enterprise and are already being discussed and debated at board level; CEOs are asking the questions, “Is our company properly protected against an attack?” and “Is our customer data secure?” The IBM research shows that almost two-thirds of CISOs reported that senior management overall is now paying more attention to security then they did two years ago. Added to which, two-thirds of CISOs expected their organisations to spend more on security over the next two years.
Now the tough stuff. Historically, the CISO role was primarily technical, with a limited knowledge and experience on the business side of things. CISOs used best security practices to protect the company and its assets; security was a ‘thing’ that was applied. But today, as security is increasingly woven into every aspect of the enterprise, identifying the single ‘security’ element that’ll mitigate perceived risk becomes harder — and this can make it more difficult to gain support and funding for security programmes.
And evidence of how critical it is to get CISOs board-level influence keeps stacking up. Recent comment by the Information Systems Security Association (ISSA) reveals how many senior executives are still failing to understand serious security issues such as the current level of international cyber threat; this is attributed directly to the failure of CISOs to get the message across to the senior management team.
So how do CISOs gain influence in the board room to win support for security activity?
Jill Knesek gives proactive relationship and stakeholder management top billing in her ‘how to’ advice, advocating that engaging business stakeholders is the key to CISOs gaining influence over the enterprise’s direction.
To achieve this, she recommends a number of simple (but effective) measures to create and foster relevant conversations about security with all areas of the organisation. For example:
- Regular meetings with stakeholders to educate, update and draw effective parallels between security issues in the wider business environment and risks on the organisation’s horizon.
- Building bridges with all areas of the organisation, being collaborative to get security priorities embedded into all business cases.
- Embracing the language of business in general and finance in particular (rather than the jargon of security) to weave security aims into the fabric of the organisation.
Measures like these have the power to push security up the board-room agenda.