As a Chief Information Security Officer (CISO), your CEO might view you as a magical “shield,” a single person in charge of protecting the company from cybersecurity failures. In truth, no one can or should be tasked with singlehandedly safeguarding the company from cyber-crime, but the CISO will still be the one to “take the fall” if, or rather when, an attack occurs.
CISO turnover has become a pandemic of its own over the last few years. 24 percent of Fortune 500 CISOs leave their position after one year, according to a comprehensive study conducted by Cybersecurity Ventures, and the average term for all CISOs in the US is between one and a half to two years.
When things go wrong, it’s not only the CISO’s job on the line. Your CEO is the business leader of your organization, and their job security can be just as vulnerable as the CISO’s when hackers strike Unsurprisingly, the relationship between a company’s CISO and CEO can quickly become contentious. Here, we’ll dig into what we see as the top seven reasons why your CEO may be looking for a new CISO.
1. You were breached, and you could have prevented it
In today’s cybersecurity climate, we can’t realistically expect a CISO to prevent every data breach attempt, and it is perhaps unfair to place the blame entirely on the CISO when they do occur. However, we’ve seen many instances of high-profile attacks that could have easily been prevented.
nse to this attack is a perfect example of how cybersecurity can work, even with the growing prevalence of cyber-attacks.
The Port of Houston cybersecurity success story is, unfortunately, not one we hear the most often. For example, Cisco experienced a breach when a disgruntled former employee wrought havoc by deleting hundreds of virtual machines and deactivating thousands of WebexWebEx Teams accounts. Cisco could have easily thwarted this attack with a zero-trust permissions policy, which would have updated the former employee’s user permissions upon departure. In this example, the zero-trust permissions policy would have been just a minor part of a larger, comprehensive security strategy.
A CISO is more than just a figurehead. As the leader of your organization’s cybersecurity strategy, it’s your responsibility to ensure that strategy permeates every level of business, making your company resilient to attacks. It’s your responsibility to foster a culture of best practices.
2. You haven’t been speaking their language
Again, when things go wrong, it’s not only the CISOs job on the line, which is why it’s essential to have clear communication between a CEO and CISO. As the business leader, the CEO needs to have the trust of the Board, which requires a clear and continuous understanding of the organization’s risk posture. It’s not the CEO’s role to understand technical details around a security vulnerability – they need to understand what a successful exploitation of that vulnerability will cost the organization in dollars and cents.
Axio’s CEO, Scott Kannry, gives his perspective in detail here. In summary, the CISO needs to understand that a CEO’s main concerns are “growing the business and increasing shareholder value. As it relates to cybersecurity, [a CEO wants] a holistic picture, not a discussion of the latest technologies.”
In practice, this means taking a different approach from traffic light KPIs and arbitrary scores and indices in your weekly executive meetings. When a CISO depicts a risk area as a Yellow or Red on a status report, the CEO lacks the context to understand what those colors mean.
As a CISO, you will need to get buy-in from your CEO for projects and initiatives. Cultivating C-Suite support does not have to be a challenge if you can demonstrate the business value. For example, when you approach your CEO, don’t present absolutes or ultimatums. Give them more than one option and present a high-level summary of the different business tradeoffs that can be made in your proposal. Make clear what the actual business cost will be vs. actual risk reduction. Ultimately, the CISO and CEO share the same goal in preventing cyber-attacks.
3. No Visible ROI on Security Initiatives
Many CISOs struggle with demonstrating their security program’s ROI. Your CEO wants to know whether – and to what extent – the implementation of more security measures is accelerating business productivity and ultimately the company’s bottom line. Cybersecurity is more than just defense – a successful program will also help drive the business forward.
When you get buy-in from your CEO and Board on a particular security initiative, you must be prepared to track and demonstrate ROI. CEOs and business leaders want to know if you’re making progress and doing due diligence. CISOs are constantly asking for more money every quarter, but what are they spending it on? How can they show value to the CEO?
For example, at an enterprise level, your business probably spends a significant portion of your budget on dozens of cybersecurity technology solutions, each of which has an added cost of resources needed to implement and maintain these solutions. The average company uses more than 50 security vendors, with 62% reporting they want more. How can you ensure you’re getting the most out of these tools and focusing your energy in the right direction?
A critical part of a CISOs job is to prove positive ROI on investments. As with learning to “speak” your CEO’s language, the key is showing how your security initiative adds business value to the company. Impact Business Technology, partnered with Axio, offers a platform that can help show “with certainty how new [cybersecurity] initiatives for IT security will reduce or eliminate risk and demonstrate a clear ROI.”
Initiatives that directly support financial gain, such as building a new software product that generates revenue for the company, are easily measured. The challenge a CISO faces is that the budget needed to execute a sound cybersecurity strategy is not measured as easily as software sales. This is where the Axio360 platform and Impact Business Technology can “build a comprehensive picture of the costs of a security incident covering all facets of the business,” said Brittany A. Bohacz, Director, Alliances for Axio.
4. You Are Using Traffic Light KPI’s in Your Weekly Executive Status Updates
When presenting to the CEO or Board, a CISO must be clear in their vision statement. KPI (Key Performance Indicator) and Board reporting can quickly devolve into a hugely abstracted (and boring) presentation.
In preparation for these weekly KPI reports, you can expect to get a lot of data from your various teams, and it’s your task to turn this plethora of information, all from different sources, into a cohesive story. Reporting this information upwards is tricky because you’re receiving so much data from all over your security environment, and you will inevitably lose details as the data moves up each level of seniority.
The biggest challenge, then, is showing your teams’ progress. For example, maybe last month you moved a project from Red to Yellow, which is good, right? But then you could potentially spend months, or even years, in Yellow because the time commitment needed for the underlying projects is extensive. Progress is being made on the project, but its long-term status in Yellow can obscure the actual progress being made.
How can you show value when your KPIs feign that nothing is happening? A detailed executive dashboard. You can show a much greater level of detail, and progress, in the same amount of time it takes to present traffic light KPIs. Axio can generate a more detailed dashboard that a CISO can use to demonstrate actual progress. Instead of reporting one abstract number, you can use this dashboard to break down risk assessment areas using graphs. This approach keeps your details accessible to the CEO and Board members and highlights your teams’ progress objectively.
5. You are constantly asking for more money…
Read More: CISOs: Top 7 Reasons Why Your CEO Wants to Break Up With You