Faced with the challenges of cybersecurity, the position of the leader is fundamental: the support provided by the general management to its security directorate has an impact on the protection of organizations against cyber threats. Yet only 30% of CISO (Security and Information Systems Managers) say they receive sufficient support from their leader (Global Digital Trust Insights Survey 2022, PwC).
ISSO, how to maximize your collaboration with your management?
A company whose leader supports cyber initiatives is a better protected company
When ISSOs report that they have made progress over the past 2 years on cybersecurity issues, they are 12 times more likely to have received significant management support (Global Digital Trust Insights Survey 2022, PwC).
The leader can support cybersecurity initiatives in three ways:
- By making an explicit statement that establishes an enterprise-wide security and privacy imperative.
- By giving the IS function the means to carry out the cybersecurity mission, by expressing its support but also by providing resources for the implementation of secure processes by default and from design (Security by design).
- By making possible the transformation of the business and/or operational models of the company towards a “simple security”, complexity being the enemy of cybersecurity.
How do you achieve this commitment, generate buy-in and obtain support from the Executive Board?
Managing the existing and anticipating the future, the challenge of CISO
Faced with growing and increasingly complex threats, the mission of the Cybersecurity and Information Systems Security division is twofold: to develop a strategy for the future while continuing to extinguish existing fires. The objective is to master the fundamentals of digital governance and risk management for everyday defense, and anticipate new threats so that the company can move forward serenely towards new digital initiatives.
Also, the management team usually wants to know how you assess the risks inherent in the organization. Your role is then to clearly explain to them the evolution of the risks to which the company is exposed and to build confidence in the resilience of the latter. To do this, consider safety as the engine lubricant—it must be positioned where the company’s friction points are. At what level must security and inherent investments be placed to become a business accelerator? The security definition of “good” is not fixed. Your role is to define what is good across your company, and to put security actions on the broader executive agenda.
Awareness: the CISO’s #1 objective vis-à-vis its management
By raising awareness of cyber threats, CISO plays a critical role in raising awareness of the strong link between security threats and their potential impact on the business. As an CISO, it is important that you take the time to explain security practices and processes to your branch. In doing so, you facilitate their understanding, but also and most importantly, highlight how these processes support the broader business strategy.
Companies are constantly confronted with new types of threats, which generates concern and anxiety. The goal is to help the branch understand the issue sufficiently to feel that the threat is real but can be managed. To facilitate the understanding of a message, it is necessary to speak the same language. When a subject seems abstract or too complex, the natural reaction is to avoid confronting it. The key is then to take the conversation out of the technological language to make it intelligible for the uninitiated. By adopting the language of the leader, the CISO facilitates his understanding but also allows him to feel responsible for the risks carried by his organization.
The three topics to discuss with your branch
Apart from urgent issues, here are the three topics you should discuss in your meetings with your leader in a systematic way:
- Assess existing threats. What is their nature? What are the attackers' motivations, and how could this translate into threats to the company?
- Provide details on the risks inherent in the organization and how resources are currently being used to address those risks. Are the expenses in line with security expectations?
- Demonstrate the measurable results of security initiatives. How has the organization improved its security posture? Focus on progress against key risk indicators, assess these improvements against a cyber maturity scale. Is the team on track to deliver on the initiatives they planned to deliver?
When discussing potential solutions with your management, do not present them with a single option, but rather discuss how various scenarios might unfold. How do the tools we have and the strategy we are currently deploying help us to more accurately predict the different scenarios envisaged? Focus on investments that have the most cross-cutting interests for the company and where positive results can be expected and measure their impact over time. Does the company gain in efficiency, is it better protected thanks to the investments made?
The success of a good collaboration with your management often comes from the way you engage them, giving them the feeling that they are getting something out of their interactions with you. Do not expect your leaders to have knowledge in safety, bring theirs. This also applies to other stakeholders in the company, make the message intelligible and relevant by adapting the content to the target.
Our advice: promote storytelling, avoid jargon, be impactful.
What if you reversed the roles during a serious game session and put your leadership in a real cyber crisis? A simple and innovative way to raise awareness.