How to make your CEO listen: CISOs share strategies

News by Jeremy Hendy

Creating a robust line of command when it comes to cyber security isn't as straightforward as it should be. By picking the right model and communicating in the right way, you can win the board round...

President Truman had a sign on his Oval Office desk that read: "The buck stops here."

The same is all too true for CEOs when it comes to digital risk fall out. 

Richard Smith, the former Equifax CEO who was forced to resign after a data breach affected 143 million customers, would no doubt agree. 

But, if the buck stops at the very highest level, what is the optimal chain of command? This was keenly debated at a recent CISO event, hosted by SC Media UK and Skurio.

Here are the key points from the discussion.

Choose the right model and the right talent for you 

There were several models discussed: IT, digital and risk. There are pros and cons for each but the trick is to use the right one for your business and culture. 

  • IT... An established reporting route. It stems from CIOs taking responsibility for security and cyber-security, as risk increases. 
  • Digital... Digital transformation is the most significant cause of increased digital risk so it makes sense to make this function self-policing. 
  • Risk... Digital risk reporting through the business risk chain of command, particularly now that GDPR fines are hitting. 

Take three key factors into consideration. Firstly, consider the business profile. With a large business that has global operations, manufacturing activities and factors like new market penetration, it’s likely there is already a risk team. Since business risk cannot be calculated without taking digital risk into account, this reporting structure would make a lot of sense. 

The second major factor is the nature of your IT infrastructure and operations. For many modern start-ups born in the cloud, the idea of a CIO is almost unthinkable. If you don’t have a datacentre or development function, the nature of your digital risk is more focused on third parties. This model can suit management by operational or digital teams.

The third key factor is maturity. A recent report from Cisco discusses the role of maturity in determining security success. The security journey starts with an understanding of needs to be protected and an ability to define and control processes. These are the fundamental building blocks that lead to understanding risk. If a CIO is responsible for these first two steps, having accountability for risk and technology to manage it, is a natural next step.

One point at the roundtable drew universal agreement: no matter the departmental responsibility or reporting route, board visibility is critical for digital risk, not least because your executives are often key targets in cyber-attacks. The board must understand the risk to make investment decisions. So, what’s the best way to secure this investment?

Prove the risk to the board – you will need to persist 

Persuading business leaders to invest in better cyber-security should be straightforward – or so you’d think. According to the roundtable it’s not as easy as all that. For starters, if IT, cyber-security and digital-transformation spend comes under a single budget, CISOs can struggle with balance: support business growth against protecting business growth. 

Then there’s the issue of having the resources in place to use the budget effectively – a pressing concern for many. They discussed techniques to convince the board that had varying degrees of success:

Don’t rely on the fear factor to persuade the board – be sophisticated and straightforward.

If you believe the best way to increase investment in improving digital risk and security is to tell the board what could happen without it – think again. 

The CISOs were unanimous. Even though a) attacks are on the increase b) compliance penalties are eye-watering c) reputations and (even) board positions are at stake… fear, uncertainty and doubt don’t work. 

Boards are used to dealing with risk – your argument needs to be more sophisticated than a straightforward invest or else. GDPR concerns drove a one-off increase in budget but boards feel they have paid that cost and don’t view it as a justification for investment.

Meet Security, the enabler

Illustrating the impact of security spend as a risk reducer and so a way to support digital-transformation efforts was one technique that had proven successful. 

Here’s an example: a business wants to implement a new suite of applications to support a customer success initiative which means accessing customer details on mobile devices. The scheme will increase digital risk, but with investment in password management, access via secure VPN etc., this risk decreases. 

Speak to the person

Another win for securing investment was to take a very personal approach. Understand who sits on the board and what they’re interested in. It might be growth, brand awareness, customer engagement, competition… in fact, any number of factors, not simply share price or shareholder value. 

Understand the data assets critical to their area of interest: social-media accounts, customer data, intellectual property etc. If you can describe how an investment secures the assets or addresses the concerns of each individual board member, you (almost) have a winning formula. 

The only thing that remains is to consider how best to deliver the news. A report, a spreadsheet (for at least one roundtable CISO, "telling a story" was the favoured option) and so on – use all the tools you have in your presentation arsenal to drive the message home. 

These tips and techniques can help as we enter full-swing into the season of organisational shuffling and budget proposals. Next month, we’ll be looking at trends and predictions for 2020 and what they might mean for digital risk. 

Jeremy Hendy is CEO of Skurio.