Security Experts:

Overcoming Appeasement: Think About Risk From the Business Out

For a couple of decades now, the career path of a cybersecurity professional has been evolving just like the rest of the tech industry. Years ago the top title was the dedicated “security officer,” who was generally also the CIO, the CFO, or some other officer of the company.  

Of course all the IT security pros felt that role should reside with them, so eventually it did, and even more eventually we created a role called the CISO, the chief information security officer.

The problem with the CISO role today is that it holds a C-level title but may not always be at the C-level. In your typical organization, you might have the CEO, the COO, the CIO, and then the CISO — a C-level title that’s three steps down the chain.

That’s not the C-suite, folks—it’s appeasement. It’s title inflation meant to quiet an increasingly important group that wants a stronger seat at the table.

The Role of Chief Information Security OfficerSo how does our CISO profession continue to evolve and gain that seat?

First, we have to stop giving the security community a bad name by being the “no” people. For too long we’ve had a centralized view that security is of higher importance than the business itself. We can’t keep taking an adversarial approach.

The CISOs who have been highly successful are those who made themselves an integral part of the business. Maybe they have a couple dozen compliances, but they’re not simply demanding compliance reports. Your most successful CISO is usually one whose primary goal is to make the business successful.

Any time we’re dealing with a critical business process, first and foremost that process needs to sustain. The CISO needs to start there, and develop a control profile designed to mitigate risk while enabling business to continue seamlessly.

How can you quantify that risk if you haven’t quantified the value to the business? That’s what compensating controls are about. It’s not about the FUD of what malware has done to other people. Successful CISOs find a way to mitigate risk without putting a cumbersome gateway on an important business process.

The way to do that is to truly understand every process that powers the company. Before we ever do a risk analysis, it’s critical to know the business inside and out. Today it is a key skill to truly understand the business organism and be able to articulate how it lives. That means the entire business process — from somebody creating an order, to distributing something from a warehouse, to understanding the value of every cog that exists.

Knowing the business inside and out makes it easy to articulate areas of weakness. The real differentiator for a CISO who has a true seat at the executive table lies in that ability to correlate a real understanding of the business to threats and risks, and then communicate those threats back to the company in business language. Only then will executives understand the implications and impact of those threats and the relative importance of any mitigations.

In this way we become partners who justify and enable business decisions — while maintaining the position and authority necessary to have difficult conversations about risk when necessary.

As the CISO function continues to evolve, these skills are becoming table stakes for the position. There are currently millions of jobs and too few people to fill them. This is driving up salaries, which in turn attracts a broader pool of candidates. With that, it won’t just be IT professionals who are drawn to the CISO career path, but also MBAs and other business experts who understand the language of business and can learn security. 

For existing CISOs, the best way to approach your career today is by building your own business savvy. Partner with business groups to help them understand risk, and in turn improve your own understanding of the business logic that drives IT decisions. To take that next step and gain the ear of the C-suite, we must start to make that pivot — to build security from the business out. 

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.